apiVersion: v1 kind: Namespace metadata: name: kyverno --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: clusterpolicies.kyverno.io spec: group: kyverno.io names: kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies shortNames: - cpol singular: clusterpolicy scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.background name: Background type: string - jsonPath: .spec.validationFailureAction name: Validatoin Failure Action type: string name: v1 schema: openAPIV3Schema: description: ClusterPolicy ... properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec is the information to identify the policy properties: background: default: true description: Background controls if rules are applied to existing resources during a background scan. Default value is "true". type: boolean rules: description: Rules contains the list of rules to be applied to resources. items: description: Rule contains a mutation, validation, or generation action for the single resource description. properties: context: description: Defines variables that can be used during rule execution. items: properties: configMap: properties: name: type: string namespace: type: string type: object name: type: string type: object type: array exclude: description: Selects resources for which the policy rule should not be applied. properties: clusterRoles: description: Specifies list of cluster wide role names. items: type: string type: array resources: description: Specifies resources to which rule is excluded. properties: annotations: additionalProperties: type: string description: Specifies map of annotations. type: object kinds: description: Specifies list of resource kind. items: type: string type: array name: description: Specifies name of the resource. type: string namespaces: description: Specifies list of namespaces. items: type: string type: array selector: description: Specifies the set of selectors. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Specifies list of namespaced role names. items: type: string type: array subjects: description: Specifies list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object generate: description: Generates new resources. properties: apiVersion: description: Specifies resource apiVersion. type: string clone: description: To clone resource from other resource. properties: name: description: Specifies name of the resource. type: string namespace: description: Specifies resource namespace. type: string type: object data: description: Data specifies the resource manifest to be generated. x-kubernetes-preserve-unknown-fields: true kind: description: Specifies resource kind. type: string name: description: Specifies resource name. type: string namespace: description: Specifies resource namespace. type: string synchronize: default: false description: To keep resources synchronized with source resource. type: boolean type: object match: description: Selects resources for which the policy rule should be applied. If it's defined, "kinds" inside MatchResources block is required. properties: clusterRoles: description: Specifies list of cluster wide role names. items: type: string type: array resources: description: Specifies resources to which rule is applied. properties: annotations: additionalProperties: type: string description: Specifies map of annotations. type: object kinds: description: Specifies list of resource kind. items: type: string type: array name: description: Specifies name of the resource. type: string namespaces: description: Specifies list of namespaces. items: type: string type: array selector: description: Specifies the set of selectors. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Specifies list of namespaced role names. items: type: string type: array subjects: description: Specifies list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object mutate: description: Modifies matching resources. properties: overlay: description: Specifies overlay patterns. Overlay is preserved for backwards compatibility and will be removed in Kyverno 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patches: description: Specifies JSON Patch. Patches is preserved for backwards compatibility and will be removed in Kyverno 1.5+. items: description: Patch declares patch operation for created object according to RFC 6902. properties: op: description: Specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Specifies path of the resource. type: string value: description: Specifies the value to be applied. x-kubernetes-preserve-unknown-fields: true type: object type: array patchesJson6902: type: string type: object name: description: A unique label for the rule. type: string preconditions: description: Allows condition-based control of the policy rule execution. items: description: Condition defines the evaluation condition. properties: key: description: Key contains key to compare. x-kubernetes-preserve-unknown-fields: true operator: description: Operator to compare against value. type: string value: description: Value to be compared. x-kubernetes-preserve-unknown-fields: true type: object type: array validate: description: Checks matching resources. properties: anyPattern: description: Specifies list of validation patterns. x-kubernetes-preserve-unknown-fields: true deny: description: Specifies conditions to deny validation. properties: conditions: description: Specifies set of condition to deny. items: description: Condition defines the evaluation condition. properties: key: description: Key contains key to compare. x-kubernetes-preserve-unknown-fields: true operator: description: Operator to compare against value. type: string value: description: Value to be compared. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: description: Specifies message to be displayed on validation policy violation. type: string pattern: description: Specifies validation pattern. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: default: audit description: ValidationFailureAction controls if a policy failure should not disallow an admission review request (enforce), or allow (audit) and report an error. Default value is "audit". type: string type: object status: description: Status contains statistics related to policy properties: averageExecutionTime: description: Average time required to process the policy rules on a resource. type: string resourcesBlockedCount: description: Count of resources that were blocked for failing a validate, across all rules. type: integer resourcesGeneratedCount: description: Count of resources that were successfully generated, across all rules. type: integer resourcesMutatedCount: description: Count of resources that were successfully mutated, across all rules. type: integer ruleStatus: items: description: RuleStats provides status per rule. properties: appliedCount: description: Count of rules that were applied. type: integer averageExecutionTime: description: Average time require to process the rule. type: string failedCount: description: Count of rules that failed. type: integer resourcesBlockedCount: description: Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules. type: integer resourcesGeneratedCount: description: Count of resources that were successfully generated. type: integer resourcesMutatedCount: description: Count of resources that were successfully mutated. type: integer ruleName: description: Rule name. type: string violationCount: description: Number of violations created by this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: description: Count of rules that were applied. type: integer rulesFailedCount: description: Count of rules that failed. type: integer violationCount: description: Number of violations created by this policy. type: integer type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io names: kind: ClusterPolicyReport listKind: ClusterPolicyReportList plural: clusterpolicyreports shortNames: - cpolr singular: clusterpolicyreport scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io names: kind: ClusterReportChangeRequest listKind: ClusterReportChangeRequestList plural: clusterreportchangerequests singular: clusterreportchangerequest scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: generaterequests.kyverno.io spec: group: kyverno.io names: kind: GenerateRequest listKind: GenerateRequestList plural: generaterequests singular: generaterequest scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: description: GenerateRequest is a request to process generate rule properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec is the information to identify the generate request properties: context: description: Context ... properties: userInfo: description: RequestInfo contains permission info carried in an admission request properties: clusterRoles: description: ClusterRoles is a list of possible clusterRoles send the request items: type: string type: array roles: description: Roles is a list of possible role send the request items: type: string type: array userInfo: description: UserInfo is the userInfo carried in the admission request properties: extra: additionalProperties: description: ExtraValue masks the value so protobuf can generate items: type: string type: array description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. items: type: string type: array uid: description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: description: The name that uniquely identifies this user among all active users. type: string type: object required: - clusterRoles - roles - userInfo type: object type: object policy: description: Specifies the name of the policy type: string resource: description: ResourceSpec is the information to identify the generate request properties: apiVersion: description: Specifies resource apiVersion. type: string kind: description: Specifies resource kind. type: string name: description: Specifies resource name. type: string namespace: description: Specifies resource namespace. type: string type: object required: - context - policy - resource type: object status: description: Status contains statistics related to generate request properties: generatedResources: description: This will track the resources that are generated by the generate Policy Will be used during clean up resources items: description: ResourceSpec information to identify the resource. properties: apiVersion: description: Specifies resource apiVersion. type: string kind: description: Specifies resource kind. type: string name: description: Specifies resource name. type: string namespace: description: Specifies resource namespace. type: string type: object type: array message: description: Specifies request status message type: string state: description: State represents state of the generate request type: string required: - state type: object required: - spec - status type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: policies.kyverno.io spec: group: kyverno.io names: kind: Policy listKind: PolicyList plural: policies shortNames: - pol singular: policy scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.background name: Background type: string - jsonPath: .spec.validationFailureAction name: Validatoin Failure Action type: string name: v1 schema: openAPIV3Schema: description: Policy contains rules to be applied to created resources. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec is the information to identify the policy. properties: background: default: true description: Background controls if rules are applied to existing resources during a background scan. Default value is "true". type: boolean rules: description: Rules contains the list of rules to be applied to resources. items: description: Rule contains a mutation, validation, or generation action for the single resource description. properties: context: description: Defines variables that can be used during rule execution. items: properties: configMap: properties: name: type: string namespace: type: string type: object name: type: string type: object type: array exclude: description: Selects resources for which the policy rule should not be applied. properties: clusterRoles: description: Specifies list of cluster wide role names. items: type: string type: array resources: description: Specifies resources to which rule is excluded. properties: annotations: additionalProperties: type: string description: Specifies map of annotations. type: object kinds: description: Specifies list of resource kind. items: type: string type: array name: description: Specifies name of the resource. type: string namespaces: description: Specifies list of namespaces. items: type: string type: array selector: description: Specifies the set of selectors. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Specifies list of namespaced role names. items: type: string type: array subjects: description: Specifies list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object generate: description: Generates new resources. properties: apiVersion: description: Specifies resource apiVersion. type: string clone: description: To clone resource from other resource. properties: name: description: Specifies name of the resource. type: string namespace: description: Specifies resource namespace. type: string type: object data: description: Data specifies the resource manifest to be generated. x-kubernetes-preserve-unknown-fields: true kind: description: Specifies resource kind. type: string name: description: Specifies resource name. type: string namespace: description: Specifies resource namespace. type: string synchronize: default: false description: To keep resources synchronized with source resource. type: boolean type: object match: description: Selects resources for which the policy rule should be applied. If it's defined, "kinds" inside MatchResources block is required. properties: clusterRoles: description: Specifies list of cluster wide role names. items: type: string type: array resources: description: Specifies resources to which rule is applied. properties: annotations: additionalProperties: type: string description: Specifies map of annotations. type: object kinds: description: Specifies list of resource kind. items: type: string type: array name: description: Specifies name of the resource. type: string namespaces: description: Specifies list of namespaces. items: type: string type: array selector: description: Specifies the set of selectors. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Specifies list of namespaced role names. items: type: string type: array subjects: description: Specifies list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object mutate: description: Modifies matching resources. properties: overlay: description: Specifies overlay patterns. Overlay is preserved for backwards compatibility and will be removed in Kyverno 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: x-kubernetes-preserve-unknown-fields: true patches: description: Specifies JSON Patch. Patches is preserved for backwards compatibility and will be removed in Kyverno 1.5+. items: description: Patch declares patch operation for created object according to RFC 6902. properties: op: description: Specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Specifies path of the resource. type: string value: description: Specifies the value to be applied. x-kubernetes-preserve-unknown-fields: true type: object type: array patchesJson6902: type: string type: object name: description: A unique label for the rule. type: string preconditions: description: Allows condition-based control of the policy rule execution. items: description: Condition defines the evaluation condition. properties: key: description: Key contains key to compare. x-kubernetes-preserve-unknown-fields: true operator: description: Operator to compare against value. type: string value: description: Value to be compared. x-kubernetes-preserve-unknown-fields: true type: object type: array validate: description: Checks matching resources. properties: anyPattern: description: Specifies list of validation patterns. x-kubernetes-preserve-unknown-fields: true deny: description: Specifies conditions to deny validation. properties: conditions: description: Specifies set of condition to deny. items: description: Condition defines the evaluation condition. properties: key: description: Key contains key to compare. x-kubernetes-preserve-unknown-fields: true operator: description: Operator to compare against value. type: string value: description: Value to be compared. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: description: Specifies message to be displayed on validation policy violation. type: string pattern: description: Specifies validation pattern. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: default: audit description: ValidationFailureAction controls if a policy failure should not disallow an admission review request (enforce), or allow (audit) and report an error. Default value is "audit". type: string type: object status: description: Status contains statistics related to policy. properties: averageExecutionTime: description: Average time required to process the policy rules on a resource. type: string resourcesBlockedCount: description: Count of resources that were blocked for failing a validate, across all rules. type: integer resourcesGeneratedCount: description: Count of resources that were successfully generated, across all rules. type: integer resourcesMutatedCount: description: Count of resources that were successfully mutated, across all rules. type: integer ruleStatus: items: description: RuleStats provides status per rule. properties: appliedCount: description: Count of rules that were applied. type: integer averageExecutionTime: description: Average time require to process the rule. type: string failedCount: description: Count of rules that failed. type: integer resourcesBlockedCount: description: Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules. type: integer resourcesGeneratedCount: description: Count of resources that were successfully generated. type: integer resourcesMutatedCount: description: Count of resources that were successfully mutated. type: integer ruleName: description: Rule name. type: string violationCount: description: Number of violations created by this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: description: Count of rules that were applied. type: integer rulesFailedCount: description: Count of rules that failed. type: integer violationCount: description: Number of violations created by this policy. type: integer type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io names: kind: PolicyReport listKind: PolicyReportList plural: policyreports shortNames: - polr singular: policyreport scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: reportchangerequests.kyverno.io spec: group: kyverno.io names: kind: ReportChangeRequest listKind: ReportChangeRequestList plural: reportchangerequests singular: reportchangerequest scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: v1 kind: ServiceAccount metadata: name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:customresources rules: - apiGroups: - '*' resources: - policies - policies/status - clusterpolicies - clusterpolicies/status - policyreports - policyreports/status - clusterpolicyreports - clusterpolicyreports/status - generaterequests - generaterequests/status - reportchangerequests - reportchangerequests/status - clusterreportchangerequests - clusterreportchangerequests/status verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:generatecontroller rules: - apiGroups: - '*' resources: - namespaces - networkpolicies - secrets - configmaps - resourcequotas - limitranges - clusterroles - rolebindings - clusterrolebindings verbs: - create - update - delete - get - apiGroups: - '*' resources: - namespaces verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:policycontroller rules: - apiGroups: - '*' resources: - '*' verbs: - get - list - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:userinfo rules: - apiGroups: - '*' resources: - roles - clusterroles - rolebindings - clusterrolebindings - configmaps - namespaces verbs: - watch - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:webhook rules: - apiGroups: - '*' resources: - events - mutatingwebhookconfigurations - validatingwebhookconfigurations - certificatesigningrequests - certificatesigningrequests/approval verbs: - create - delete - get - list - patch - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - certificatesigningrequests - certificatesigningrequests/approval - certificatesigningrequests/status verbs: - create - delete - get - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - signers verbs: - approve --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: - apiGroups: - kyverno.io resources: - policies verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: - apiGroups: - wgpolicyk8s.io/v1alpha1 resources: - policyreport - clusterpolicyreport verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" name: kyverno:edit-policies-policyreport rules: - apiGroups: - wgpolicyk8s.io/v1alpha1 resources: - policyreport - clusterpolicyreport - policies verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyverno:policyreport rules: - apiGroups: - '*' resources: - policyreports - clusterpolicyreports - pods verbs: - get - list - watch - delete --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyverno:policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations verbs: - get - list - watch - delete --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:view-clusterpolicyreport rules: - apiGroups: - wgpolicyk8s.io/v1alpha1 resources: - clusterpolicyreport verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-view: "true" name: kyverno:view-policyreport rules: - apiGroups: - wgpolicyk8s.io/v1alpha1 resources: - policyreport verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:customresources subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:generatecontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:policycontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:policyreport roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:policyreport subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:policyviolations roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:policyviolations subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:userinfo subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:webhook subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno --- apiVersion: v1 kind: Service metadata: labels: app: kyverno name: kyverno-svc namespace: kyverno spec: ports: - port: 443 targetPort: https selector: app: kyverno