Package: kyverno.io/v2alpha1

Resource Types:

CELPolicyException
GlobalContextEntry
ValidatingPolicy

CELPolicyException

PolicyException declares resources to be excluded from specified policies.

Field Description

apiVersion
string kyverno.io/v2alpha1

kind
string CELPolicyException

metadata *
meta/v1.ObjectMeta Refer to the Kubernetes API documentation for the fields of the metadata field.

spec *
CELPolicyExceptionSpec

Spec declares policy exception behaviors.

`policyRefs` * []PolicyRef	PolicyRefs identifies the policies to which the exception is applied.
`matchConstraints` * admissionregistration/v1.MatchResources	MatchConstraints is used to check if a resource applies to the exception.
`matchConditions` []admissionregistration/v1.MatchCondition	MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.

GlobalContextEntry

GlobalContextEntry declares resources to be cached.

Field Description

apiVersion
string kyverno.io/v2alpha1

kind
string GlobalContextEntry

metadata *
meta/v1.ObjectMeta Refer to the Kubernetes API documentation for the fields of the metadata field.

spec *
GlobalContextEntrySpec

Spec declares policy exception behaviors.

kubernetesResource *
KubernetesResource

Stores a list of Kubernetes resources which will be cached. Mutually exclusive with APICall.

apiCall *
ExternalAPICall

Stores results from an API call which will be cached. Mutually exclusive with KubernetesResource. This can be used to make calls to external (non-Kubernetes API server) services. It can also be used to make calls to the Kubernetes API server in such cases:

A POST is needed to create a resource.
Finer-grained control is needed. Example: To restrict the number of resources cached.

status
GlobalContextEntryStatus

Status contains globalcontextentry runtime data.

ValidatingPolicy

Field Description

apiVersion
string kyverno.io/v2alpha1

kind
string ValidatingPolicy

metadata *
meta/v1.ObjectMeta Refer to the Kubernetes API documentation for the fields of the metadata field.

spec *
ValidatingPolicySpec

`ValidatingAdmissionPolicySpec` * admissionregistration/v1.ValidatingAdmissionPolicySpec	(Members of `ValidatingAdmissionPolicySpec` are embedded into this type.)
`validationActions` * []admissionregistration/v1.ValidationAction	ValidationAction specifies the action to be taken when the matched resource violates the policy.
`webhookConfiguration` WebhookConfiguration	WebhookConfiguration defines the configuration for the webhook.

CELPolicyExceptionSpec

(Appears in: CELPolicyException)

PolicyExceptionSpec stores policy exception spec

Field	Description
`policyRefs` * []PolicyRef	PolicyRefs identifies the policies to which the exception is applied.
`matchConstraints` * admissionregistration/v1.MatchResources	MatchConstraints is used to check if a resource applies to the exception.
`matchConditions` []admissionregistration/v1.MatchCondition	MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.

ExternalAPICall

(Appears in: GlobalContextEntrySpec)

Field	Description
`APICall` * APICall	(Members of `APICall` are embedded into this type.)
`refreshInterval` * meta/v1.Duration	RefreshInterval defines the interval in duration at which to poll the APICall. The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
`retryLimit` int	RetryLimit defines the number of times the APICall should be retried in case of failure.

GlobalContextEntrySpec

(Appears in: GlobalContextEntry)

GlobalContextEntrySpec stores policy exception spec

Field	Description
`kubernetesResource` * KubernetesResource	Stores a list of Kubernetes resources which will be cached. Mutually exclusive with APICall.
`apiCall` * ExternalAPICall	Stores results from an API call which will be cached. Mutually exclusive with KubernetesResource. This can be used to make calls to external (non-Kubernetes API server) services. It can also be used to make calls to the Kubernetes API server in such cases: A POST is needed to create a resource. Finer-grained control is needed. Example: To restrict the number of resources cached.

GlobalContextEntryStatus

(Appears in: GlobalContextEntry)

Field	Description
`ready` * bool	Deprecated in favor of Conditions
`conditions` []meta/v1.Condition
`lastRefreshTime` meta/v1.Time	Indicates the time when the globalcontextentry was last refreshed successfully for the API Call

KubernetesResource

(Appears in: GlobalContextEntrySpec)

KubernetesResource stores infos about kubernetes resource that should be cached

Field	Description
`group` * string	Group defines the group of the resource.
`version` * string	Version defines the version of the resource.
`resource` * string	Resource defines the type of the resource. Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
`namespace` string	Namespace defines the namespace of the resource. Leave empty for cluster scoped resources. If left empty for namespaced resources, all resources from all namespaces will be cached.

PolicyRef

(Appears in: CELPolicyExceptionSpec)

Field	Description
`name` * string	Name is the name of the policy
`kind` * string	Kind is the kind of the policy

ValidatingPolicySpec

(Appears in: ValidatingPolicy)

ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.

Field	Description
`ValidatingAdmissionPolicySpec` * admissionregistration/v1.ValidatingAdmissionPolicySpec	(Members of `ValidatingAdmissionPolicySpec` are embedded into this type.)
`validationActions` * []admissionregistration/v1.ValidationAction	ValidationAction specifies the action to be taken when the matched resource violates the policy.
`webhookConfiguration` WebhookConfiguration	WebhookConfiguration defines the configuration for the webhook.

WebhookConfiguration

(Appears in: ValidatingPolicySpec)

Field	Description
`timeoutSeconds` * int32	TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.