Spec declares policy behaviors.

Status contains policy runtime data.

Spec declares policy behaviors.

Status contains policy runtime data.

Spec declares policy behaviors.

Status contains policy runtime data.

Spec defines policy behaviors and contains one or more rules.

Status contains policy runtime data.

Spec declares policy exception behaviors.

AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass.

AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass.

Context defines variables and data sources that can be used during rule execution.

MatchResources defines when cleanuppolicy should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.

ExcludeResources defines when cleanuppolicy should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role.

The schedule in Cron format

Conditions defines the conditions used to select the resources which will be cleaned up.

Key is the context entry (using JMESPath) for conditional rule evaluation.

Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan

Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.

Message is an optional display message

Multiple conditions can be declared under an any or all statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules

PolicyName identifies the policy to which the exception is applied. The policy name uses the format / unless it references a ClusterPolicy.

RuleNames identifies the rules to which the exception is applied.

Type specifies the method of signature validation. The allowed options are Cosign and Notary. By default Cosign is used if a type is not specified.

ImageReferences is a list of matching image reference patterns. At least one pattern in the list must match the image for the rule to apply. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

SkipImageReferences is a list of matching image reference patterns that should be skipped. At least one pattern in the list must match the image for the rule to be skipped. Each image reference consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.

Attestors specified the required attestors (i.e. authorities)

Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations.

Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. If specified Repository will override the default OCI image repository configured for the installation. The repository can also be overridden per Attestor or Attestation.

MutateDigest enables replacement of image tags with digests. Defaults to true.

VerifyDigest validates that images have a digest.

Required validates that images are verified i.e. have matched passed a signature or attestation check.

ImageRegistryCredentials provides credentials that will be used for authentication with registry

UseCache enables caching of image verify responses for this rule

Any allows specifying resources which will be ORed

All allows specifying resources which will be ANDed

Background controls if exceptions are applied to existing policies during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).

Match defines match clause used to check if a resource applies to the exception

Conditions are used to determine if a resource applies to the exception by evaluating a set of conditions. The declaration can contain nested any or all statements.

Exceptions is a list policy/rules to be excluded

PodSecurity specifies the Pod Security Standard controls to be excluded. Applicable only to policies that have validate.podSecurity subrule.

Kinds is a list of resource kinds.

Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).

Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).

Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).

Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/": ""]. Note that using ["" : ""] matches any key and value but does not match an empty label set.

NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/": ""]. Note that using ["" : ""] matches any key and value but does not match an empty label set.

Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.

Name is a label to identify the rule, It must be unique within the policy.

Context defines variables and data sources that can be used during rule execution.

MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.

ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role.

ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules.

Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested any or all statements. See: https://kyverno.io/docs/writing-policies/preconditions/

CELPreconditions are used to determine if a policy rule should be applied by evaluating a set of CEL conditions. It can only be used with the validate.cel subrule

Mutation is used to modify matching resources.

Validation is used to validate matching resources.

Generation is used to create new resources.

VerifyImages is used to verify image signatures and mutate them to add a digest

SkipBackgroundRequests bypasses admission requests that are sent by the background controller. The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests.

Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.

ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to One processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to All all rules in the policy are processed. The default is All.

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.

ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "Audit".

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

Admission controls if rules are applied during admission. Optional. Default value is "true".

Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).

Deprecated.

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is "false".

Deprecated, use generateExisting instead

Deprecated, use generateExisting under the generate rule instead

UseServerSideApply controls whether to use server-side apply for generate rules If is set to "true" create & update for generate rules will use apply instead of create/update. Defaults to "false" if not specified.

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. Requires Kubernetes 1.27 or later.

Message specifies a custom message to be displayed on failure.

Manifest specifies conditions for manifest verification

ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

Pattern specifies an overlay-style pattern used to check resources.

AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed.

Deny defines conditions used to pass or fail a validation rule.

PodSecurity applies exemptions for Kubernetes Pod Security admission by specifying exclusions for Pod Security Standards controls.

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

MatchCondition configures admission webhook matchConditions.