mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
581 lines
31 KiB
YAML
581 lines
31 KiB
YAML
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.4.0
|
|
creationTimestamp: null
|
|
name: clusterpolicies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: ClusterPolicy
|
|
listKind: ClusterPolicyList
|
|
plural: clusterpolicies
|
|
shortNames:
|
|
- cpol
|
|
singular: clusterpolicy
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.background
|
|
name: Background
|
|
type: string
|
|
- jsonPath: .spec.validationFailureAction
|
|
name: Validatoin Failure Action
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterPolicy declares validation, mutation, and generation behaviors
|
|
for matching resources.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
background:
|
|
default: true
|
|
description: Background controls if rules are applied to existing
|
|
resources during a background scan. Optional. Default value is "true".
|
|
The value must be set to "false" if the policy rule uses variables
|
|
that are only available in the admission review request (e.g. user
|
|
name).
|
|
type: boolean
|
|
rules:
|
|
description: Rules is a list of Rule instances
|
|
items:
|
|
description: Rule defines a validation, mutation, or generation
|
|
control for matching resources.
|
|
properties:
|
|
context:
|
|
description: Context defines data sources and variables that
|
|
can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data sources
|
|
to a rule Context
|
|
properties:
|
|
configMap:
|
|
description: ConfigMapReference refers to a ConfigMap
|
|
properties:
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
name:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: ExcludeResources selects resources to which the
|
|
policy rule should not be applied.
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (string
|
|
key-value pairs). Annotation values supports wildcard
|
|
characters "*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: Name is the name of the resource. The name
|
|
supports wildcard characters "*" (matches zero or
|
|
many characters) and "?" (at least one character).
|
|
type: string
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: Selector is a label selector.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation creates new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: Clone specified the source resource used to
|
|
populate each generated resource. Exactly one of Data
|
|
or Clone must be specified.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
data:
|
|
description: Data provides the resource manifest to used
|
|
to populate each generated resource. Exactly one of Data
|
|
or Clone must be specified.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
synchronize:
|
|
default: false
|
|
description: Synchronize controls if generated resources
|
|
should be kept in-sync with their source resource. Optional.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
type: object
|
|
match:
|
|
description: MatchResources selects resources to which the policy
|
|
rule should be applied. At least one kind is required.
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (string
|
|
key-value pairs). Annotation values supports wildcard
|
|
characters "*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: Name is the name of the resource. The name
|
|
supports wildcard characters "*" (matches zero or
|
|
many characters) and "?" (at least one character).
|
|
type: string
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: Selector is a label selector.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation modifies matching resources.
|
|
properties:
|
|
overlay:
|
|
description: Overlay specifies an overlay pattern to modify
|
|
resources. DEPRECATED. Use PatchStrategicMerge instead.
|
|
Scheduled for removal in release 1.5+.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge patch
|
|
used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patches:
|
|
description: Patches specifies a RFC 6902 JSON Patch to
|
|
modify resources. DEPRECATED. Use PatchesJSON6902 instead.
|
|
Scheduled for removal in release 1.5+.
|
|
items:
|
|
description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902'
|
|
properties:
|
|
op:
|
|
description: Operation specifies operations supported
|
|
by JSON Patch. i.e:- add, replace and delete.
|
|
type: string
|
|
path:
|
|
description: Path specifies path of the resource.
|
|
type: string
|
|
value:
|
|
description: Value specifies the value to be applied.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
|
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, Must be unique
|
|
within the policy.
|
|
type: string
|
|
preconditions:
|
|
description: Conditions enabled variable-based conditional rule
|
|
execution.
|
|
items:
|
|
description: Condition defines variable-based conditional
|
|
criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: Operator is the operation to perform.
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value, or set of
|
|
values. The values can be fixed set or can be variables
|
|
declared using using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
validate:
|
|
description: Validation checks matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation patterns.
|
|
At least one of the patterns must be satisfied for the
|
|
validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
deny:
|
|
description: Deny defines conditions to fail the validation
|
|
rule.
|
|
properties:
|
|
conditions:
|
|
description: Specifies set of condition to deny.
|
|
items:
|
|
description: Condition defines variable-based conditional
|
|
criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: Operator is the operation to perform.
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value, or
|
|
set of values. The values can be fixed set or
|
|
can be variables declared using using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
validationFailureAction:
|
|
default: audit
|
|
description: ValidationFailureAction controls if a validation policy
|
|
rule failure should disallow the admission review request (enforce),
|
|
or allow (audit) the admission review request and report an error
|
|
in a policy report. Optional. The default value is "audit".
|
|
type: string
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
averageExecutionTime:
|
|
description: AvgExecutionTime is the average time taken to process
|
|
the policy rules on a resource.
|
|
type: string
|
|
resourcesBlockedCount:
|
|
description: ResourcesBlockedCount is the total count of admission
|
|
review requests that were blocked by this policy.
|
|
type: integer
|
|
resourcesGeneratedCount:
|
|
description: ResourcesGeneratedCount is the total count of resources
|
|
that were generated by this policy.
|
|
type: integer
|
|
resourcesMutatedCount:
|
|
description: ResourcesMutatedCount is the total count of resources
|
|
that were mutated by this policy.
|
|
type: integer
|
|
ruleStatus:
|
|
description: Rules provides per rule statistics
|
|
items:
|
|
description: RuleStats provides statistics for an individual rule
|
|
within a policy.
|
|
properties:
|
|
appliedCount:
|
|
description: AppliedCount is the total number of times this
|
|
rule was applied.
|
|
type: integer
|
|
averageExecutionTime:
|
|
description: ExecutionTime is the average time taken to execute
|
|
this rule.
|
|
type: string
|
|
failedCount:
|
|
description: FailedCount is the total count of policy error
|
|
results for this rule.
|
|
type: integer
|
|
resourcesBlockedCount:
|
|
description: ResourcesBlockedCount is the total count of admission
|
|
review requests that were blocked by this rule.
|
|
type: integer
|
|
resourcesGeneratedCount:
|
|
description: ResourcesGeneratedCount is the total count of resources
|
|
that were generated by this rule.
|
|
type: integer
|
|
resourcesMutatedCount:
|
|
description: ResourcesMutatedCount is the total count of resources
|
|
that were mutated by this rule.
|
|
type: integer
|
|
ruleName:
|
|
description: Name is the rule name.
|
|
type: string
|
|
violationCount:
|
|
description: ViolationCount is the total count of policy failure
|
|
results for this rule.
|
|
type: integer
|
|
required:
|
|
- ruleName
|
|
type: object
|
|
type: array
|
|
rulesAppliedCount:
|
|
description: RulesAppliedCount is the total number of times this policy
|
|
was applied.
|
|
type: integer
|
|
rulesFailedCount:
|
|
description: RulesFailedCount is the total count of policy execution
|
|
errors for this policy.
|
|
type: integer
|
|
violationCount:
|
|
description: ViolationCount is the total count of policy failure results
|
|
for this policy.
|
|
type: integer
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|