--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: admissionreports.kyverno.io spec: group: kyverno.io names: categories: - kyverno kind: AdmissionReport listKind: AdmissionReportList plural: admissionreports shortNames: - admr singular: admissionreport scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.ownerReferences[0].apiVersion name: ApiVersion priority: 1 type: string - jsonPath: .metadata.ownerReferences[0].kind name: Kind priority: 1 type: string - jsonPath: .metadata.ownerReferences[0].name name: Subject priority: 1 type: string - jsonPath: .spec.summary.pass name: Pass type: integer - jsonPath: .spec.summary.fail name: Fail type: integer - jsonPath: .spec.summary.warn name: Warn type: integer - jsonPath: .spec.summary.error name: Error type: integer - jsonPath: .spec.summary.skip name: Skip type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] name: Hash priority: 1 type: string - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] name: AGGREGATE priority: 1 type: string name: v1alpha2 schema: openAPIV3Schema: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: owner: description: Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string blockOwnerDeletion: description: If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' type: string uid: description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' type: string required: - apiVersion - kind - name - uid type: object x-kubernetes-map-type: atomic results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: description: Description is a short user friendly message for the policy rule type: string policy: description: Policy is the name or identifier of the policy type: string properties: additionalProperties: type: string description: Properties provides additional information for the policy rule type: object resourceSelector: description: SubjectSelector is an optional label selector for checked Kubernetes resources. For example, a policy result may apply to all pods that match a label. Either a Subject or a SubjectSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic resources: description: Subjects is an optional reference to the checked Kubernetes resources items: description: "ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. \ It includes many fields which are not generally honored. \ For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. \ In most embedded usages, there are particular restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\". Those cannot be well described when embedded. 3. Inconsistent validation. \ Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. \n Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 ." properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object x-kubernetes-map-type: atomic type: array result: description: Result indicates the outcome of the policy rule execution enum: - pass - fail - warn - error - skip type: string rule: description: Rule is the name or identifier of the rule within the policy type: string scored: description: Scored indicates if this result is scored type: boolean severity: description: Severity indicates policy check result criticality enum: - critical - high - low - medium - info type: string source: description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: - nanos - seconds type: object required: - policy type: object type: array summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of non-scored policies whose requirements were not met type: integer type: object required: - owner type: object required: - spec type: object served: true storage: true subresources: {}