mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/definitions/install_debug.yaml
Shuting Zhao 365dd6e408 update kyverno crd types.go
2020-11-13 16:02:44 -08:00

2916 lines
131 KiB
YAML
Executable file
Raw Blame History

apiVersion: v1
kind: Namespace
metadata:
name: kyverno
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
names:
kind: ClusterPolicy
listKind: ClusterPolicyList
plural: clusterpolicies
shortNames:
- cpol
singular: clusterpolicy
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.background
name: Background
type: string
- jsonPath: .spec.validationFailureAction
name: Validatoin Failure Action
type: string
name: v1
schema:
openAPIV3Schema:
description: ClusterPolicy ...
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec is the information to identify the policy
properties:
background:
default: true
description: Background controls if rules are applied to existing
resources during a background scan. Default value is "true".
type: boolean
rules:
description: Rules contains the list of rules to be applied to resources.
items:
description: Rule contains a mutation, validation, or generation
action for the single resource description.
properties:
context:
description: Defines variables that can be used during rule
execution.
items:
properties:
configMap:
properties:
name:
type: string
namespace:
type: string
type: object
name:
type: string
type: object
type: array
exclude:
description: Selects resources for which the policy rule should
not be applied.
properties:
clusterRoles:
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is excluded.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
roles:
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
description: Generates new resources.
properties:
apiVersion:
description: Specifies resource apiVersion.
type: string
clone:
description: To clone resource from other resource.
properties:
name:
description: Specifies name of the resource.
type: string
namespace:
description: Specifies resource namespace.
type: string
type: object
data:
description: Data specifies the resource manifest to be
generated.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Specifies resource kind.
type: string
name:
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
type: object
match:
description: Selects resources for which the policy rule should
be applied. If it's defined, "kinds" inside MatchResources
block is required.
properties:
clusterRoles:
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is applied.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
roles:
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
type: array
type: object
mutate:
description: Modifies matching resources.
properties:
overlay:
description: Specifies overlay patterns. Overlay is preserved
for backwards compatibility and will be removed in Kyverno
1.5+.
x-kubernetes-preserve-unknown-fields: true
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patches:
description: Specifies JSON Patch. Patches is preserved
for backwards compatibility and will be removed in Kyverno
1.5+.
items:
description: Patch declares patch operation for created
object according to RFC 6902.
properties:
op:
description: Specifies operations supported by JSON
Patch. i.e:- add, replace and delete.
type: string
path:
description: Specifies path of the resource.
type: string
value:
description: Specifies the value to be applied.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
patchesJson6902:
type: string
type: object
name:
description: A unique label for the rule.
type: string
preconditions:
description: Allows condition-based control of the policy rule
execution.
items:
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value.
type: string
value:
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
validate:
description: Checks matching resources.
properties:
anyPattern:
description: Specifies list of validation patterns.
x-kubernetes-preserve-unknown-fields: true
deny:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value.
type: string
value:
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
message:
description: Specifies message to be displayed on validation
policy violation.
type: string
pattern:
description: Specifies validation pattern.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
validationFailureAction:
default: audit
description: ValidationFailureAction controls if a policy failure
should not disallow an admission review request (enforce), or allow
(audit) and report an error. Default value is "audit".
type: string
type: object
status:
description: Status contains statistics related to policy
properties:
averageExecutionTime:
description: Average time required to process the policy rules on
a resource.
type: string
resourcesBlockedCount:
description: Count of resources that were blocked for failing a validate,
across all rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated,
across all rules.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated, across
all rules.
type: integer
ruleStatus:
items:
description: RuleStats provides status per rule.
properties:
appliedCount:
description: Count of rules that were applied.
type: integer
averageExecutionTime:
description: Average time require to process the rule.
type: string
failedCount:
description: Count of rules that failed.
type: integer
resourcesBlockedCount:
description: Count of resources for whom update/create api requests
were blocked as the resource did not satisfy the policy rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated.
type: integer
ruleName:
description: Rule name.
type: string
violationCount:
description: Number of violations created by this rule.
type: integer
required:
- ruleName
type: object
type: array
rulesAppliedCount:
description: Count of rules that were applied.
type: integer
rulesFailedCount:
description: Count of rules that failed.
type: integer
violationCount:
description: Number of violations created by this policy.
type: integer
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
kind: ClusterPolicyReport
listKind: ClusterPolicyReportList
plural: clusterpolicyreports
shortNames:
- cpolr
singular: clusterpolicyreport
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterPolicyReport is the Schema for the clusterpolicyreports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: clusterreportchangerequests.kyverno.io
spec:
group: kyverno.io
names:
kind: ClusterReportChangeRequest
listKind: ClusterReportChangeRequestList
plural: clusterreportchangerequests
singular: clusterreportchangerequest
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: generaterequests.kyverno.io
spec:
group: kyverno.io
names:
kind: GenerateRequest
listKind: GenerateRequestList
plural: generaterequests
singular: generaterequest
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: GenerateRequest is a request to process generate rule
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec is the information to identify the generate request
properties:
context:
description: Context ...
properties:
userInfo:
description: RequestInfo contains permission info carried in an
admission request
properties:
clusterRoles:
description: ClusterRoles is a list of possible clusterRoles
send the request
items:
type: string
type: array
roles:
description: Roles is a list of possible role send the request
items:
type: string
type: array
userInfo:
description: UserInfo is the userInfo carried in the admission
request
properties:
extra:
additionalProperties:
description: ExtraValue masks the value so protobuf
can generate
items:
type: string
type: array
description: Any additional information provided by the
authenticator.
type: object
groups:
description: The names of groups this user is a part of.
items:
type: string
type: array
uid:
description: A unique value that identifies this user
across time. If this user is deleted and another user
by the same name is added, they will have different
UIDs.
type: string
username:
description: The name that uniquely identifies this user
among all active users.
type: string
type: object
required:
- clusterRoles
- roles
- userInfo
type: object
type: object
policy:
description: Specifies the name of the policy
type: string
resource:
description: ResourceSpec is the information to identify the generate
request
properties:
apiVersion:
description: Specifies resource apiVersion.
type: string
kind:
description: Specifies resource kind.
type: string
name:
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace.
type: string
type: object
required:
- context
- policy
- resource
type: object
status:
description: Status contains statistics related to generate request
properties:
generatedResources:
description: This will track the resources that are generated by the
generate Policy Will be used during clean up resources
items:
description: ResourceSpec information to identify the resource.
properties:
apiVersion:
description: Specifies resource apiVersion.
type: string
kind:
description: Specifies resource kind.
type: string
name:
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace.
type: string
type: object
type: array
message:
description: Specifies request status message
type: string
state:
description: State represents state of the generate request
type: string
required:
- state
type: object
required:
- spec
- status
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: policies.kyverno.io
spec:
group: kyverno.io
names:
kind: Policy
listKind: PolicyList
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.background
name: Background
type: string
- jsonPath: .spec.validationFailureAction
name: Validatoin Failure Action
type: string
name: v1
schema:
openAPIV3Schema:
description: Policy contains rules to be applied to created resources.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec is the information to identify the policy.
properties:
background:
default: true
description: Background controls if rules are applied to existing
resources during a background scan. Default value is "true".
type: boolean
rules:
description: Rules contains the list of rules to be applied to resources.
items:
description: Rule contains a mutation, validation, or generation
action for the single resource description.
properties:
context:
description: Defines variables that can be used during rule
execution.
items:
properties:
configMap:
properties:
name:
type: string
namespace:
type: string
type: object
name:
type: string
type: object
type: array
exclude:
description: Selects resources for which the policy rule should
not be applied.
properties:
clusterRoles:
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is excluded.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
roles:
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
description: Generates new resources.
properties:
apiVersion:
description: Specifies resource apiVersion.
type: string
clone:
description: To clone resource from other resource.
properties:
name:
description: Specifies name of the resource.
type: string
namespace:
description: Specifies resource namespace.
type: string
type: object
data:
description: Data specifies the resource manifest to be
generated.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Specifies resource kind.
type: string
name:
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace.
type: string
synchronize:
default: false
description: To keep resources synchronized with source
resource.
type: boolean
type: object
match:
description: Selects resources for which the policy rule should
be applied. If it's defined, "kinds" inside MatchResources
block is required.
properties:
clusterRoles:
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is applied.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
roles:
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
type: array
type: object
mutate:
description: Modifies matching resources.
properties:
overlay:
description: Specifies overlay patterns. Overlay is preserved
for backwards compatibility and will be removed in Kyverno
1.5+.
x-kubernetes-preserve-unknown-fields: true
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patches:
description: Specifies JSON Patch. Patches is preserved
for backwards compatibility and will be removed in Kyverno
1.5+.
items:
description: Patch declares patch operation for created
object according to RFC 6902.
properties:
op:
description: Specifies operations supported by JSON
Patch. i.e:- add, replace and delete.
type: string
path:
description: Specifies path of the resource.
type: string
value:
description: Specifies the value to be applied.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
patchesJson6902:
type: string
type: object
name:
description: A unique label for the rule.
type: string
preconditions:
description: Allows condition-based control of the policy rule
execution.
items:
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value.
type: string
value:
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
validate:
description: Checks matching resources.
properties:
anyPattern:
description: Specifies list of validation patterns.
x-kubernetes-preserve-unknown-fields: true
deny:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny.
items:
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value.
type: string
value:
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
message:
description: Specifies message to be displayed on validation
policy violation.
type: string
pattern:
description: Specifies validation pattern.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
validationFailureAction:
default: audit
description: ValidationFailureAction controls if a policy failure
should not disallow an admission review request (enforce), or allow
(audit) and report an error. Default value is "audit".
type: string
type: object
status:
description: Status contains statistics related to policy.
properties:
averageExecutionTime:
description: Average time required to process the policy rules on
a resource.
type: string
resourcesBlockedCount:
description: Count of resources that were blocked for failing a validate,
across all rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated,
across all rules.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated, across
all rules.
type: integer
ruleStatus:
items:
description: RuleStats provides status per rule.
properties:
appliedCount:
description: Count of rules that were applied.
type: integer
averageExecutionTime:
description: Average time require to process the rule.
type: string
failedCount:
description: Count of rules that failed.
type: integer
resourcesBlockedCount:
description: Count of resources for whom update/create api requests
were blocked as the resource did not satisfy the policy rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated.
type: integer
ruleName:
description: Rule name.
type: string
violationCount:
description: Number of violations created by this rule.
type: integer
required:
- ruleName
type: object
type: array
rulesAppliedCount:
description: Count of rules that were applied.
type: integer
rulesFailedCount:
description: Count of rules that failed.
type: integer
violationCount:
description: Number of violations created by this policy.
type: integer
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
kind: PolicyReport
listKind: PolicyReportList
plural: policyreports
shortNames:
- polr
singular: policyreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyReport is the Schema for the policyreports API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: reportchangerequests.kyverno.io
spec:
group: kyverno.io
names:
kind: ReportChangeRequest
listKind: ReportChangeRequestList
plural: reportchangerequests
singular: reportchangerequest
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ReportChangeRequest is the Schema for the ReportChangeRequests
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:customresources
rules:
- apiGroups:
- '*'
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
- generaterequests
- generaterequests/status
- reportchangerequests
- reportchangerequests/status
- clusterreportchangerequests
- clusterreportchangerequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:generatecontroller
rules:
- apiGroups:
- '*'
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- create
- update
- delete
- get
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:policycontroller
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:userinfo
rules:
- apiGroups:
- '*'
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- configmaps
- namespaces
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:webhook
rules:
- apiGroups:
- '*'
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- signers
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
- policies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyreport
rules:
- apiGroups:
- '*'
resources:
- policyreports
- clusterpolicyreports
- pods
verbs:
- get
- list
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
verbs:
- get
- list
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:view-clusterpolicyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- clusterpolicyreport
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: kyverno:view-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyreport
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policyreport
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyviolations
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policyviolations
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:userinfo
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:webhook
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: v1
data:
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
name: init-config
namespace: kyverno
---
apiVersion: v1
kind: Service
metadata:
labels:
app: kyverno
name: kyverno-svc
namespace: kyverno
spec:
ports:
- port: 443
targetPort: https
selector:
app: kyverno
View git blame Copy permalink