--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: clusterpolicies.kyverno.io spec: group: kyverno.io names: kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies shortNames: - cpol singular: clusterpolicy scope: Cluster versions: - additionalPrinterColumns: - jsonPath: .spec.background name: Background type: string - jsonPath: .spec.validationFailureAction name: Validatoin Failure Action type: string name: v1 schema: openAPIV3Schema: description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: Spec declares policy behaviors. properties: background: description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: description: Rules is a list of Rule instances items: description: Rule defines a validation, mutation, or generation control for matching resources. properties: context: description: Context defines data sources and variables that can be used during rule execution. items: description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap properties: name: type: string namespace: type: string type: object name: type: string type: object type: array exclude: description: ExcludeResources selects resources to which the policy rule should not be applied. properties: clusterRoles: description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string description: Annotations is a map of annotations (string key-value pairs). Annotation values supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: object kinds: description: Kinds is a list of resource kinds. items: type: string type: array name: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: description: Selector is a label selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: description: Subjects is the list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object generate: description: Generation creates new resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string clone: description: Clone specified the source resource used to populate each generated resource. Exactly one of Data or Clone must be specified. properties: name: description: Name specifies name of the resource. type: string namespace: description: Namespace specifies source resource namespace. type: string type: object data: description: Data provides the resource manifest to used to populate each generated resource. Exactly one of Data or Clone must be specified. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. type: string name: description: Name specifies the resource name. type: string namespace: description: Namespace specifies resource namespace. type: string synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. Optional. Defaults to "false" if not specified. type: boolean type: object match: description: MatchResources selects resources to which the policy rule should be applied. At least one kind is required. properties: clusterRoles: description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string description: Annotations is a map of annotations (string key-value pairs). Annotation values supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: object kinds: description: Kinds is a list of resource kinds. items: type: string type: array name: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: description: Selector is a label selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: description: Subjects is the list of subject names like users, user groups, and service accounts. items: description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object type: array type: object mutate: description: Mutation modifies matching resources. properties: overlay: description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. patches: description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. type: string value: description: Value specifies the value to be applied. type: object nullable: true type: array patchesJson6902: description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: description: Name is a label to identify the rule, Must be unique within the policy. type: string preconditions: description: Conditions enabled variable-based conditional rule execution. items: description: Condition defines variable-based conditional criteria for rule execution. properties: key: description: Key is the context entry (using JMESPath) for conditional rule evaluation. operator: description: Operator is the operation to perform. type: string value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. type: object type: array validate: description: Validation checks matching resources. properties: anyPattern: description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. deny: description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: description: Condition defines variable-based conditional criteria for rule execution. properties: key: description: Key is the context entry (using JMESPath) for conditional rule evaluation. operator: description: Operator is the operation to perform. type: string value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. type: object type: array type: object message: description: Message specifies a custom message to be displayed on failure. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. type: object type: object type: array validationFailureAction: default: audit description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []