apiVersion: v1 kind: Namespace metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: clusterpolicies.kyverno.io spec: group: kyverno.io names: kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies shortNames: - cpol singular: clusterpolicy scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.background name: Background type: string - jsonPath: .spec.validationFailureAction name: Action type: string name: v1 schema: openAPIV3Schema: description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec declares policy behaviors. properties: background: description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. properties: apiCall: description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. properties: jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string urlPath: description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. type: string required: - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. properties: name: description: Name is the ConfigMap name. type: string namespace: description: Namespace is the ConfigMap namespace. type: string required: - name type: object name: description: Name is the variable name. type: string type: object type: array exclude: description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. items: type: string type: array name: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: description: Subjects is the list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object generate: description: Generation is used to create new resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string clone: description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. type: string namespace: description: Namespace specifies source resource namespace. type: string type: object data: description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. type: string name: description: Name specifies the resource name. type: string namespace: description: Namespace specifies resource namespace. type: string synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. items: type: string type: array name: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: description: Subjects is the list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object mutate: description: Mutation is used to modify matching resources. properties: overlay: description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. type: string value: description: Value specifies the value to be applied. x-kubernetes-preserve-unknown-fields: true type: object nullable: true type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: description: Name is a label to identify the rule, It must be unique within the policy. maxLength: 63 type: string preconditions: description: AnyAllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. This too can be made to happen in a logical-manner where in some situation all the conditions need to pass and in some other situation, atleast one condition is enough to pass. For the sake of backwards compatibility, it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions to fail the validation rule. properties: conditions: description: specifies the set of conditions to deny in a logical manner For the sake of backwards compatibility, it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true type: object message: description: Message specifies a custom message to be displayed on failure. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io names: kind: ClusterPolicyReport listKind: ClusterPolicyReportList plural: clusterpolicyreports shortNames: - cpolr singular: clusterpolicyreport scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io names: kind: ClusterReportChangeRequest listKind: ClusterReportChangeRequestList plural: clusterreportchangerequests shortNames: - crcr singular: clusterreportchangerequest scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: generaterequests.kyverno.io spec: group: kyverno.io names: kind: GenerateRequest listKind: GenerateRequestList plural: generaterequests shortNames: - gr singular: generaterequest scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.policy name: Policy type: string - jsonPath: .spec.resource.kind name: ResourceKind type: string - jsonPath: .spec.resource.name name: ResourceName type: string - jsonPath: .spec.resource.namespace name: ResourceNamespace type: string - jsonPath: .status.state name: status type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: GenerateRequest is a request to process generate rule. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec is the information to identify the generate request. properties: context: description: Context ... properties: userInfo: description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true type: array roles: description: Roles is a list of possible role send the request. items: type: string nullable: true type: array userInfo: description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: description: ExtraValue masks the value so protobuf can generate items: type: string type: array description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. items: type: string type: array uid: description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: description: The name that uniquely identifies this user among all active users. type: string type: object type: object type: object policy: description: Specifies the name of the policy. type: string resource: description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string kind: description: Kind specifies resource kind. type: string name: description: Name specifies the resource name. type: string namespace: description: Namespace specifies resource namespace. type: string type: object required: - context - policy - resource type: object status: description: Status contains statistics related to generate request. properties: generatedResources: description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string kind: description: Kind specifies resource kind. type: string name: description: Name specifies the resource name. type: string namespace: description: Namespace specifies resource namespace. type: string type: object type: array message: description: Specifies request status message. type: string state: description: State represents state of the generate request. type: string required: - state type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: policies.kyverno.io spec: group: kyverno.io names: kind: Policy listKind: PolicyList plural: policies shortNames: - pol singular: policy scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.background name: Background type: string - jsonPath: .spec.validationFailureAction name: Action type: string name: v1 schema: openAPIV3Schema: description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec defines policy behaviors and contains one or rules. properties: background: description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: description: Context defines variables and data sources that can be used during rule execution. items: description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. properties: apiCall: description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. properties: jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string urlPath: description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. type: string required: - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. properties: name: description: Name is the ConfigMap name. type: string namespace: description: Namespace is the ConfigMap namespace. type: string required: - name type: object name: description: Name is the variable name. type: string type: object type: array exclude: description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. items: type: string type: array name: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: description: Subjects is the list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object generate: description: Generation is used to create new resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string clone: description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. type: string namespace: description: Namespace specifies source resource namespace. type: string type: object data: description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. type: string name: description: Name specifies the resource name. type: string namespace: description: Namespace specifies resource namespace. type: string synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. items: type: string type: array name: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: description: Subjects is the list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object mutate: description: Mutation is used to modify matching resources. properties: overlay: description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. type: string value: description: Value specifies the value to be applied. x-kubernetes-preserve-unknown-fields: true type: object nullable: true type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: description: Name is a label to identify the rule, It must be unique within the policy. maxLength: 63 type: string preconditions: description: AnyAllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. This too can be made to happen in a logical-manner where in some situation all the conditions need to pass and in some other situation, atleast one condition is enough to pass. For the sake of backwards compatibility, it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: description: Deny defines conditions to fail the validation rule. properties: conditions: description: specifies the set of conditions to deny in a logical manner For the sake of backwards compatibility, it can be populated with []kyverno.Condition. x-kubernetes-preserve-unknown-fields: true type: object message: description: Message specifies a custom message to be displayed on failure. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io names: kind: PolicyReport listKind: PolicyReportList plural: policyreports shortNames: - polr singular: policyreport scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null labels: app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: reportchangerequests.kyverno.io spec: group: kyverno.io names: kind: ReportChangeRequest listKind: ReportChangeRequestList plural: reportchangerequests shortNames: - rcr singular: reportchangerequest scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .scope.kind name: Kind priority: 1 type: string - jsonPath: .scope.name name: Name priority: 1 type: string - jsonPath: .summary.pass name: Pass type: integer - jsonPath: .summary.fail name: Fail type: integer - jsonPath: .summary.warn name: Warn type: integer - jsonPath: .summary.error name: Error type: integer - jsonPath: .summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean severity: description: Severity indicates policy severity enum: - high - low - medium type: string status: description: Status indicates the result of the policy rule check enum: - pass - fail - warn - error - skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: - apiGroups: - kyverno.io resources: - policies - clusterpolicies verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: - apiGroups: - wgpolicyk8s.io/v1alpha1 resources: - policyreports - clusterpolicyreports verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: - apiGroups: - kyverno.io resources: - reportchangerequests - clusterreportchangerequests verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:customresources rules: - apiGroups: - '*' resources: - policies - policies/status - clusterpolicies - clusterpolicies/status - policyreports - policyreports/status - clusterpolicyreports - clusterpolicyreports/status - generaterequests - generaterequests/status - reportchangerequests - reportchangerequests/status - clusterreportchangerequests - clusterreportchangerequests/status verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:generatecontroller rules: - apiGroups: - '*' resources: - namespaces - networkpolicies - secrets - configmaps - resourcequotas - limitranges verbs: - create - update - delete - list - get - apiGroups: - '*' resources: - namespaces verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:leaderelection rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - delete - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:policycontroller rules: - apiGroups: - '*' resources: - '*' verbs: - get - list - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:userinfo rules: - apiGroups: - '*' resources: - roles - clusterroles - rolebindings - clusterrolebindings - configmaps - namespaces verbs: - watch - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:webhook rules: - apiGroups: - '*' resources: - events - mutatingwebhookconfigurations - validatingwebhookconfigurations - certificatesigningrequests - certificatesigningrequests/approval verbs: - create - delete - get - list - patch - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - certificatesigningrequests - certificatesigningrequests/approval - certificatesigningrequests/status verbs: - create - delete - get - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - signers verbs: - approve --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:customresources subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:generatecontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:leaderelection roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:leaderelection subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:policycontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:userinfo subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:webhook subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]' kind: ConfigMap metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: init-config namespace: kyverno --- apiVersion: v1 kind: Service metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno-svc namespace: kyverno spec: ports: - name: https port: 443 targetPort: https selector: app: kyverno app.kubernetes.io/name: kyverno --- apiVersion: v1 kind: Service metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno-svc-metrics namespace: kyverno spec: ports: - name: metrics-port port: 8000 targetPort: metrics-port selector: app: kyverno app.kubernetes.io/name: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 name: kyverno namespace: kyverno spec: replicas: 1 selector: matchLabels: app: kyverno app.kubernetes.io/name: kyverno template: metadata: labels: app: kyverno app.kubernetes.io/component: kyverno app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: v1.4.0-rc4 spec: containers: - args: - --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*] - -v=2 env: - name: INIT_CONFIG value: init-config - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc image: ghcr.io/kyverno/kyverno:v1.4.0-rc4 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 httpGet: path: /health/liveness port: 9443 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: kyverno ports: - containerPort: 9443 name: https protocol: TCP - containerPort: 8000 name: metrics-port protocol: TCP readinessProbe: failureThreshold: 4 httpGet: path: /health/readiness port: 9443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 resources: limits: memory: 256Mi requests: cpu: 100m memory: 50Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true runAsNonRoot: true initContainers: - image: ghcr.io/kyverno/kyvernopre:v1.4.0-rc4 imagePullPolicy: IfNotPresent name: kyverno-pre resources: limits: cpu: 100m memory: 256Mi requests: cpu: 10m memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true runAsNonRoot: true securityContext: runAsNonRoot: true serviceAccountName: kyverno-service-account