mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
3865 lines
78 KiB
HTML
3865 lines
78 KiB
HTML
<!doctype html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|
|
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
|
|
<title>Kyverno API</title>
|
|
<style>
|
|
.bg-blue {
|
|
color: #ffffff;
|
|
background-color: #1589dd;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div class="container">
|
|
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
|
|
<a class="navbar-brand" href="#"><p><b>Packages : </b></p></a>
|
|
<ul style="list-style:none">
|
|
<li>
|
|
<a href="#kyverno.io%2fv1"><b style="color: white">kyverno.io/v1</b></a>
|
|
</li>
|
|
<li>
|
|
<a href="#kyverno.io%2fv1alpha1"><b style="color: white">kyverno.io/v1alpha1</b></a>
|
|
</li>
|
|
<li>
|
|
<a href="#kyverno.io%2fv1alpha2"><b style="color: white">kyverno.io/v1alpha2</b></a>
|
|
</li>
|
|
<li>
|
|
<a href="#wgpolicyk8s.io%2fv1alpha1"><b style="color: white">wgpolicyk8s.io/v1alpha1</b></a>
|
|
</li>
|
|
<li>
|
|
<a href="#wgpolicyk8s.io%2fv1alpha2"><b style="color: white">wgpolicyk8s.io/v1alpha2</b></a>
|
|
</li>
|
|
</ul>
|
|
</nav>
|
|
<h2 id="kyverno.io/v1">kyverno.io/v1</h2>
|
|
Resource Types:
|
|
<ul></ul>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.APICall">APICall
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ContextEntry">ContextEntry</a>)
|
|
</p>
|
|
<p>
|
|
<p>APICall defines an HTTP request to the Kubernetes API server. The JSON
|
|
data retrieved is stored in the context. An APICall contains a URLPath
|
|
used to perform the HTTP GET request and an optional JMESPath used to
|
|
transform the retrieved JSON data.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>urlPath</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>URLPath is the URL path to be used in the HTTP GET request to the
|
|
Kubernetes API server (e.g. “/api/v1/namespaces” or “/apis/apps/v1/deployments”).
|
|
The format required is the same format used by the <code>kubectl get --raw</code> command.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>jmesPath</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the API server. For example
|
|
a JMESPath of “items | length(@)” applied to the API server response
|
|
to the URLPath “/apis/apps/v1/deployments” will return the total count
|
|
of deployments across all namespaces.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.AdmissionRequestInfoObject">AdmissionRequestInfoObject
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.GenerateRequestContext">GenerateRequestContext</a>)
|
|
</p>
|
|
<p>
|
|
<p>AdmissionRequestInfoObject stores the admission request and operation details</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>admissionRequest</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>operation</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#operation-v1beta1-admission">
|
|
Kubernetes admission/v1beta1.Operation
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.AnyAllConditions">AnyAllConditions
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Attestation">Attestation</a>,
|
|
<a href="#kyverno.io/v1.ForEachMutation">ForEachMutation</a>,
|
|
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>)
|
|
</p>
|
|
<p>
|
|
<p>AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>any</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Condition">
|
|
[]Condition
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>all</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Condition">
|
|
[]Condition
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Attestation">Attestation
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>)
|
|
</p>
|
|
<p>
|
|
<p>Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See <a href="https://github.com/in-toto/attestation">https://github.com/in-toto/attestation</a>. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>predicateType</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>PredicateType defines the type of Predicate contained within the Statement.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>conditions</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.AnyAllConditions">
|
|
[]AnyAllConditions
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.CloneFrom">CloneFrom
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Generation">Generation</a>)
|
|
</p>
|
|
<p>
|
|
<p>CloneFrom provides the location of the source resource used to generate target resources.
|
|
The resource kind is derived from the match criteria.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>namespace</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Namespace specifies source resource namespace.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>name</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Name specifies name of the resource.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ClusterPolicy">ClusterPolicy
|
|
</h3>
|
|
<p>
|
|
<p>ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>spec</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Spec">
|
|
Spec
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Spec declares policy behaviors.</p>
|
|
<br/>
|
|
<br/>
|
|
<table class="table table-striped">
|
|
<tr>
|
|
<td>
|
|
<code>rules</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Rule">
|
|
[]Rule
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Rules is a list of Rule instances. A Policy contains multiple rules and
|
|
each rule can validate, mutate, or generate resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>failurePolicy</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.FailurePolicyType">
|
|
FailurePolicyType
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>FailurePolicy defines how unrecognized errors from the admission endpoint are handled.
|
|
Rules within the same policy share the same failure behavior.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>validationFailureAction</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ValidationFailureAction controls if a validation policy rule failure should disallow
|
|
the admission review request (enforce), or allow (audit) the admission review request
|
|
and report an error in a policy report. Optional. The default value is “audit”.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>background</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Background controls if rules are applied to existing resources during a background scan.
|
|
Optional. Default value is “true”. The value must be set to “false” if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>schemaValidation</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>SchemaValidation skips policy validation checks.
|
|
Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>webhookTimeoutSeconds</code></br>
|
|
<em>
|
|
int32
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
|
|
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
|
|
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>status</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.PolicyStatus">
|
|
PolicyStatus
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Status contains policy runtime data.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Condition">Condition
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.AnyAllConditions">AnyAllConditions</a>)
|
|
</p>
|
|
<p>
|
|
<p>Condition defines variable-based conditional criteria for rule execution.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>key</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Key is the context entry (using JMESPath) for conditional rule evaluation.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>operator</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ConditionOperator">
|
|
ConditionOperator
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Operator is the operation to perform. Valid operators
|
|
are Equals, NotEquals, In, AnyIn, AllIn and NotIn, AnyNotIn, AllNotIn.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>value</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using using JMESPath.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ConditionOperator">ConditionOperator
|
|
(<code>string</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Condition">Condition</a>)
|
|
</p>
|
|
<p>
|
|
<p>ConditionOperator is the operation performed on condition key and value.</p>
|
|
</p>
|
|
<h3 id="kyverno.io/v1.ConfigMapReference">ConfigMapReference
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ContextEntry">ContextEntry</a>)
|
|
</p>
|
|
<p>
|
|
<p>ConfigMapReference refers to a ConfigMap</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>name</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Name is the ConfigMap name.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>namespace</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Namespace is the ConfigMap namespace.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ContextEntry">ContextEntry
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ForEachMutation">ForEachMutation</a>,
|
|
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>,
|
|
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
|
</p>
|
|
<p>
|
|
<p>ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>name</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Name is the variable name.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>configMap</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ConfigMapReference">
|
|
ConfigMapReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>ConfigMap is the ConfigMap reference.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>apiCall</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.APICall">
|
|
APICall
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>APICall defines an HTTP request to the Kubernetes API server. The JSON
|
|
data retrieved is stored in the context.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Deny">Deny
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>,
|
|
<a href="#kyverno.io/v1.Validation">Validation</a>)
|
|
</p>
|
|
<p>
|
|
<p>Deny specifies a list of conditions used to pass or fail a validation rule.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>conditions</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Multiple conditions can be declared under an <code>any</code> or <code>all</code> statement. A direct list
|
|
of conditions (without <code>any</code> or <code>all</code> statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: <a href="https://kyverno.io/docs/writing-policies/validate/#deny-rules">https://kyverno.io/docs/writing-policies/validate/#deny-rules</a></p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ExcludeResources">ExcludeResources
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
|
</p>
|
|
<p>
|
|
<p>ExcludeResources specifies resource and admission review request data for
|
|
which a policy rule is not applicable.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>any</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceFilters">
|
|
ResourceFilters
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Any allows specifying resources which will be ORed</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>all</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceFilters">
|
|
ResourceFilters
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>All allows specifying resources which will be ANDed</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>UserInfo</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.UserInfo">
|
|
UserInfo
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>UserInfo contains information about the user performing the operation.
|
|
Specifying UserInfo directly under exclude is being deprecated.
|
|
Please specify under “any” or “all” instead.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resources</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceDescription">
|
|
ResourceDescription
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ResourceDescription contains information about the resource being created or modified.
|
|
Specifying ResourceDescription directly under exclude is being deprecated.
|
|
Please specify under “any” or “all” instead.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.FailurePolicyType">FailurePolicyType
|
|
(<code>string</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Spec">Spec</a>)
|
|
</p>
|
|
<p>
|
|
<p>FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.</p>
|
|
</p>
|
|
<h3 id="kyverno.io/v1.ForEachMutation">ForEachMutation
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Mutation">Mutation</a>)
|
|
</p>
|
|
<p>
|
|
<p>ForEachMutation applies policy rule changes to nested elements.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>list</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>context</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ContextEntry">
|
|
[]ContextEntry
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Context defines variables and data sources that can be used during rule execution.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>preconditions</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.AnyAllConditions">
|
|
AnyAllConditions
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested <code>any</code> or <code>all</code> statements.
|
|
See: <a href="https://kyverno.io/docs/writing-policies/preconditions/">https://kyverno.io/docs/writing-policies/preconditions/</a></p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>patchStrategicMerge</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See <a href="https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/">https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/</a>
|
|
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/</a>.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ForEachValidation">ForEachValidation
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Validation">Validation</a>)
|
|
</p>
|
|
<p>
|
|
<p>ForEachValidation applies policy rule checks to nested elements.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>list</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>context</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ContextEntry">
|
|
[]ContextEntry
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Context defines variables and data sources that can be used during rule execution.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>preconditions</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.AnyAllConditions">
|
|
AnyAllConditions
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested <code>any</code> or <code>all</code> statements.
|
|
See: <a href="https://kyverno.io/docs/writing-policies/preconditions/">https://kyverno.io/docs/writing-policies/preconditions/</a></p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>pattern</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Pattern specifies an overlay-style pattern used to check resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>anyPattern</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>deny</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Deny">
|
|
Deny
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Deny defines conditions used to pass or fail a validation rule.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.GenerateRequest">GenerateRequest
|
|
</h3>
|
|
<p>
|
|
<p>GenerateRequest is a request to process generate rule.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>spec</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.GenerateRequestSpec">
|
|
GenerateRequestSpec
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Spec is the information to identify the generate request.</p>
|
|
<br/>
|
|
<br/>
|
|
<table class="table table-striped">
|
|
<tr>
|
|
<td>
|
|
<code>policy</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Specifies the name of the policy.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resource</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceSpec">
|
|
ResourceSpec
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>ResourceSpec is the information to identify the generate request.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>context</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.GenerateRequestContext">
|
|
GenerateRequestContext
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Context …</p>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>status</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.GenerateRequestStatus">
|
|
GenerateRequestStatus
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Status contains statistics related to generate request.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.GenerateRequestContext">GenerateRequestContext
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.GenerateRequestSpec">GenerateRequestSpec</a>)
|
|
</p>
|
|
<p>
|
|
<p>GenerateRequestContext stores the context to be shared.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>userInfo</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.RequestInfo">
|
|
RequestInfo
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>admissionRequestInfo</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.AdmissionRequestInfoObject">
|
|
AdmissionRequestInfoObject
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.GenerateRequestSpec">GenerateRequestSpec
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.GenerateRequest">GenerateRequest</a>)
|
|
</p>
|
|
<p>
|
|
<p>GenerateRequestSpec stores the request specification.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>policy</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Specifies the name of the policy.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resource</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceSpec">
|
|
ResourceSpec
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>ResourceSpec is the information to identify the generate request.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>context</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.GenerateRequestContext">
|
|
GenerateRequestContext
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Context …</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.GenerateRequestState">GenerateRequestState
|
|
(<code>string</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.GenerateRequestStatus">GenerateRequestStatus</a>)
|
|
</p>
|
|
<p>
|
|
<p>GenerateRequestState defines the state of request.</p>
|
|
</p>
|
|
<h3 id="kyverno.io/v1.GenerateRequestStatus">GenerateRequestStatus
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.GenerateRequest">GenerateRequest</a>)
|
|
</p>
|
|
<p>
|
|
<p>GenerateRequestStatus stores the status of generated request.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>state</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.GenerateRequestState">
|
|
GenerateRequestState
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>State represents state of the generate request.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>message</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Specifies request status message.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>generatedResources</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceSpec">
|
|
[]ResourceSpec
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>This will track the resources that are generated by the generate Policy.
|
|
Will be used during clean up resources.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Generation">Generation
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
|
</p>
|
|
<p>
|
|
<p>Generation defines how new resources should be created and managed.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>ResourceSpec</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceSpec">
|
|
ResourceSpec
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>ResourceSpec contains information to select the resource.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>synchronize</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to “true” changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to “false” if not specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>data</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>clone</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.CloneFrom">
|
|
CloneFrom
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ImageVerification">ImageVerification
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
|
</p>
|
|
<p>
|
|
<p>ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>image</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Image is the image name consisting of the registry address, repository, image, and tag.
|
|
Wildcards (‘*’ and ‘?’) are allowed. See: <a href="https://kubernetes.io/docs/concepts/containers/images">https://kubernetes.io/docs/concepts/containers/images</a>.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>key</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Key is the PEM encoded public key that the image or attestation is signed with.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>roots</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Roots is the PEM encoded Root certificate chain used for keyless signing</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>subject</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Subject is the verified identity used for keyless signing, for example the email address</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>repository</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Repository is an optional alternate OCI repository to use for image signatures that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>attestations</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Attestation">
|
|
[]Attestation
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See <a href="https://github.com/in-toto/attestation">https://github.com/in-toto/attestation</a>. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.MatchResources">MatchResources
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
|
</p>
|
|
<p>
|
|
<p>MatchResources is used to specify resource and admission review request data for
|
|
which a policy rule is applicable.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>any</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceFilters">
|
|
ResourceFilters
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Any allows specifying resources which will be ORed</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>all</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceFilters">
|
|
ResourceFilters
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>All allows specifying resources which will be ANDed</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>UserInfo</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.UserInfo">
|
|
UserInfo
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>UserInfo contains information about the user performing the operation.
|
|
Specifying UserInfo directly under match is being deprecated.
|
|
Please specify under “any” or “all” instead.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resources</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceDescription">
|
|
ResourceDescription
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under “any” or “all” instead.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Mutation">Mutation
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
|
</p>
|
|
<p>
|
|
<p>Mutation defines how resource are modified.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>overlay</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Overlay specifies an overlay pattern to modify resources.
|
|
DEPRECATED. Use PatchStrategicMerge instead. Scheduled for
|
|
removal in release 1.5+.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>patches</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Patch">
|
|
[]Patch
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Patches specifies a RFC 6902 JSON Patch to modify resources.
|
|
DEPRECATED. Use PatchesJSON6902 instead. Scheduled for
|
|
removal in release 1.5+.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>patchStrategicMerge</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See <a href="https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/">https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/</a>
|
|
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/</a>.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>patchesJson6902</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/</a>.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>foreach</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ForEachMutation">
|
|
[]ForEachMutation
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ForEachMutation applies policy rule changes to nested elements.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Patch">Patch
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Mutation">Mutation</a>)
|
|
</p>
|
|
<p>
|
|
<p>Patch is a RFC 6902 JSON Patch.
|
|
See: <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a></p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>path</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Path specifies path of the resource.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>op</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Operation specifies operations supported by JSON Patch.
|
|
i.e:- add, replace and delete.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>value</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Value specifies the value to be applied.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Policy">Policy
|
|
</h3>
|
|
<p>
|
|
<p>Policy declares validation, mutation, and generation behaviors for matching resources.
|
|
See: <a href="https://kyverno.io/docs/writing-policies/">https://kyverno.io/docs/writing-policies/</a> for more information.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>spec</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Spec">
|
|
Spec
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Spec defines policy behaviors and contains one or more rules.</p>
|
|
<br/>
|
|
<br/>
|
|
<table class="table table-striped">
|
|
<tr>
|
|
<td>
|
|
<code>rules</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Rule">
|
|
[]Rule
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Rules is a list of Rule instances. A Policy contains multiple rules and
|
|
each rule can validate, mutate, or generate resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>failurePolicy</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.FailurePolicyType">
|
|
FailurePolicyType
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>FailurePolicy defines how unrecognized errors from the admission endpoint are handled.
|
|
Rules within the same policy share the same failure behavior.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>validationFailureAction</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ValidationFailureAction controls if a validation policy rule failure should disallow
|
|
the admission review request (enforce), or allow (audit) the admission review request
|
|
and report an error in a policy report. Optional. The default value is “audit”.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>background</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Background controls if rules are applied to existing resources during a background scan.
|
|
Optional. Default value is “true”. The value must be set to “false” if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>schemaValidation</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>SchemaValidation skips policy validation checks.
|
|
Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>webhookTimeoutSeconds</code></br>
|
|
<em>
|
|
int32
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
|
|
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
|
|
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>status</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.PolicyStatus">
|
|
PolicyStatus
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Status contains policy runtime information.
|
|
Deprecated. Policy metrics are available via the metrics endpoint</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.PolicyStatus">PolicyStatus
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ClusterPolicy">ClusterPolicy</a>,
|
|
<a href="#kyverno.io/v1.Policy">Policy</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicyStatus mostly contains runtime information related to policy execution.
|
|
Deprecated. Policy metrics are now available via the “/metrics” endpoint.
|
|
See: <a href="https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/">https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/</a></p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>ready</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Ready indicates if the policy is ready to serve the admission request</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.RequestInfo">RequestInfo
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.GenerateRequestContext">GenerateRequestContext</a>)
|
|
</p>
|
|
<p>
|
|
<p>RequestInfo contains permission info carried in an admission request.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>roles</code></br>
|
|
<em>
|
|
[]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Roles is a list of possible role send the request.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>clusterRoles</code></br>
|
|
<em>
|
|
[]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ClusterRoles is a list of possible clusterRoles send the request.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>userInfo</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#userinfo-v1-authentication">
|
|
Kubernetes authentication/v1.UserInfo
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>UserInfo is the userInfo carried in the admission request.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ResourceDescription">ResourceDescription
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ExcludeResources">ExcludeResources</a>,
|
|
<a href="#kyverno.io/v1.MatchResources">MatchResources</a>,
|
|
<a href="#kyverno.io/v1.ResourceFilter">ResourceFilter</a>)
|
|
</p>
|
|
<p>
|
|
<p>ResourceDescription contains criteria used to match resources.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>kinds</code></br>
|
|
<em>
|
|
[]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Kinds is a list of resource kinds.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>name</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Name is the name of the resource. The name supports wildcard characters
|
|
“*” (matches zero or many characters) and “?” (at least one character).</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>names</code></br>
|
|
<em>
|
|
[]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Names are the names of the resources. Each name supports wildcard characters
|
|
“*” (matches zero or many characters) and “?” (at least one character).
|
|
NOTE: “Name” is being deprecated in favor of “Names”.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>namespaces</code></br>
|
|
<em>
|
|
[]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
“*” (matches zero or many characters) and “?” (at least one character).</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>annotations</code></br>
|
|
<em>
|
|
map[string]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters “*” (matches zero or many characters) and
|
|
“?” (matches at least one character).</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>selector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Selector is a label selector. Label keys and values in <code>matchLabels</code> support the wildcard
|
|
characters <code>*</code> (matches zero or many characters) and <code>?</code> (matches one character).
|
|
Wildcards allows writing label selectors like [“storage.k8s.io/<em>”: “</em>”]. Note that
|
|
using [”<em>” : “</em>”] matches any key and value but does not match an empty label set.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>namespaceSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in <code>matchLabels</code> support the wildcard characters <code>*</code> (matches zero or many characters)
|
|
and <code>?</code> (matches one character).Wildcards allows writing label selectors like
|
|
[“storage.k8s.io/<em>”: “</em>”]. Note that using [”<em>” : “</em>”] matches any key and value but
|
|
does not match an empty label set.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ResourceFilter">ResourceFilter
|
|
</h3>
|
|
<p>
|
|
<p>ResourceFilter allow users to “AND” or “OR” between resources</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>UserInfo</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.UserInfo">
|
|
UserInfo
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>UserInfo contains information about the user performing the operation.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resources</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ResourceDescription">
|
|
ResourceDescription
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>ResourceDescription contains information about the resource being created or modified.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ResourceFilters">ResourceFilters
|
|
(<code>[]github.com/kyverno/kyverno/api/kyverno/v1.ResourceFilter</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ExcludeResources">ExcludeResources</a>,
|
|
<a href="#kyverno.io/v1.MatchResources">MatchResources</a>)
|
|
</p>
|
|
<p>
|
|
<p>ResourceFilters is a slice of ResourceFilter</p>
|
|
</p>
|
|
<h3 id="kyverno.io/v1.ResourceSpec">ResourceSpec
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.GenerateRequestSpec">GenerateRequestSpec</a>,
|
|
<a href="#kyverno.io/v1.GenerateRequestStatus">GenerateRequestStatus</a>,
|
|
<a href="#kyverno.io/v1.Generation">Generation</a>)
|
|
</p>
|
|
<p>
|
|
<p>ResourceSpec contains information to identify a resource.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>apiVersion</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>APIVersion specifies resource apiVersion.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>kind</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Kind specifies resource kind.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>namespace</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Namespace specifies resource namespace.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>name</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Name specifies the resource name.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Rule">Rule
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Spec">Spec</a>)
|
|
</p>
|
|
<p>
|
|
<p>Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>name</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Name is a label to identify the rule, It must be unique within the policy.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>context</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ContextEntry">
|
|
[]ContextEntry
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Context defines variables and data sources that can be used during rule execution.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>match</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.MatchResources">
|
|
MatchResources
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>exclude</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ExcludeResources">
|
|
ExcludeResources
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>preconditions</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested <code>any</code> or <code>all</code> statements. A direct list
|
|
of conditions (without <code>any</code> or <code>all</code> statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: <a href="https://kyverno.io/docs/writing-policies/preconditions/">https://kyverno.io/docs/writing-policies/preconditions/</a></p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>mutate</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Mutation">
|
|
Mutation
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Mutation is used to modify matching resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>validate</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Validation">
|
|
Validation
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Validation is used to validate matching resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>generate</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Generation">
|
|
Generation
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Generation is used to create new resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>verifyImages</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ImageVerification">
|
|
[]ImageVerification
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>VerifyImages is used to verify image signatures and mutate them to add a digest</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Spec">Spec
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ClusterPolicy">ClusterPolicy</a>,
|
|
<a href="#kyverno.io/v1.Policy">Policy</a>)
|
|
</p>
|
|
<p>
|
|
<p>Spec contains a list of Rule instances and other policy controls.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>rules</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Rule">
|
|
[]Rule
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Rules is a list of Rule instances. A Policy contains multiple rules and
|
|
each rule can validate, mutate, or generate resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>failurePolicy</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.FailurePolicyType">
|
|
FailurePolicyType
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>FailurePolicy defines how unrecognized errors from the admission endpoint are handled.
|
|
Rules within the same policy share the same failure behavior.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>validationFailureAction</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ValidationFailureAction controls if a validation policy rule failure should disallow
|
|
the admission review request (enforce), or allow (audit) the admission review request
|
|
and report an error in a policy report. Optional. The default value is “audit”.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>background</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Background controls if rules are applied to existing resources during a background scan.
|
|
Optional. Default value is “true”. The value must be set to “false” if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>schemaValidation</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>SchemaValidation skips policy validation checks.
|
|
Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>webhookTimeoutSeconds</code></br>
|
|
<em>
|
|
int32
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
|
|
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
|
|
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.UserInfo">UserInfo
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.ExcludeResources">ExcludeResources</a>,
|
|
<a href="#kyverno.io/v1.MatchResources">MatchResources</a>,
|
|
<a href="#kyverno.io/v1.ResourceFilter">ResourceFilter</a>)
|
|
</p>
|
|
<p>
|
|
<p>UserInfo contains information about the user performing the operation.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>roles</code></br>
|
|
<em>
|
|
[]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Roles is the list of namespaced role names for the user.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>clusterRoles</code></br>
|
|
<em>
|
|
[]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ClusterRoles is the list of cluster-wide role names for the user.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>subjects</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#subject-v1-rbac">
|
|
[]Kubernetes rbac/v1.Subject
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Subjects is the list of subject names like users, user groups, and service accounts.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.Validation">Validation
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
|
</p>
|
|
<p>
|
|
<p>Validation defines checks to be performed on matching resources.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>message</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Message specifies a custom message to be displayed on failure.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>foreach</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.ForEachValidation">
|
|
[]ForEachValidation
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ForEach applies policy rule changes to nested elements.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>pattern</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Pattern specifies an overlay-style pattern used to check resources.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>anyPattern</code></br>
|
|
<em>
|
|
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions.JSON
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>deny</code></br>
|
|
<em>
|
|
<a href="#kyverno.io/v1.Deny">
|
|
Deny
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Deny defines conditions used to pass or fail a validation rule.</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1.ViolatedRule">ViolatedRule
|
|
</h3>
|
|
<p>
|
|
<p>ViolatedRule stores the information regarding the rule.</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>name</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Name specifies violated rule name.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>type</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Type specifies violated rule type.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>message</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Message specifies violation message.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>status</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Status shows the rule response status</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h2 id="kyverno.io/v1alpha1">kyverno.io/v1alpha1</h2>
|
|
<p>
|
|
<p>Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group</p>
|
|
</p>
|
|
Resource Types:
|
|
<ul></ul>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1alpha1.ClusterReportChangeRequest">ClusterReportChangeRequest
|
|
</h3>
|
|
<p>
|
|
<p>ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1alpha1.ReportChangeRequest">ReportChangeRequest
|
|
</h3>
|
|
<p>
|
|
<p>ReportChangeRequest is the Schema for the ReportChangeRequests API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h2 id="kyverno.io/v1alpha2">kyverno.io/v1alpha2</h2>
|
|
<p>
|
|
<p>Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group</p>
|
|
</p>
|
|
Resource Types:
|
|
<ul></ul>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1alpha2.ClusterReportChangeRequest">ClusterReportChangeRequest
|
|
</h3>
|
|
<p>
|
|
<p>ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="kyverno.io/v1alpha2.ReportChangeRequest">ReportChangeRequest
|
|
</h3>
|
|
<p>
|
|
<p>ReportChangeRequest is the Schema for the ReportChangeRequests API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h2 id="wgpolicyk8s.io/v1alpha1">wgpolicyk8s.io/v1alpha1</h2>
|
|
<p>
|
|
<p>Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group</p>
|
|
</p>
|
|
Resource Types:
|
|
<ul><li>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.ClusterPolicyReport">ClusterPolicyReport</a>
|
|
</li><li>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReport">PolicyReport</a>
|
|
</li></ul>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha1.ClusterPolicyReport">ClusterPolicyReport
|
|
</h3>
|
|
<p>
|
|
<p>ClusterPolicyReport is the Schema for the clusterpolicyreports API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>apiVersion</code></br>
|
|
string</td>
|
|
<td>
|
|
<code>
|
|
wgpolicyk8s.io/v1alpha1
|
|
</code>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>kind</code></br>
|
|
string
|
|
</td>
|
|
<td><code>ClusterPolicyReport</code></td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha1.PolicyReport">PolicyReport
|
|
</h3>
|
|
<p>
|
|
<p>PolicyReport is the Schema for the policyreports API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>apiVersion</code></br>
|
|
string</td>
|
|
<td>
|
|
<code>
|
|
wgpolicyk8s.io/v1alpha1
|
|
</code>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>kind</code></br>
|
|
string
|
|
</td>
|
|
<td><code>PolicyReport</code></td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha1.PolicyReportResult">PolicyReportResult
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.ClusterPolicyReport">ClusterPolicyReport</a>,
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReport">PolicyReport</a>,
|
|
<a href="#kyverno.io/v1alpha1.ClusterReportChangeRequest">ClusterReportChangeRequest</a>,
|
|
<a href="#kyverno.io/v1alpha1.ReportChangeRequest">ReportChangeRequest</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicyReportResult provides the result for an individual policy</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>policy</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Policy is the name of the policy</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>rule</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Rule is the name of the policy rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resources</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
[]Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Resources is an optional reference to the resource checked by the policy and rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resourceSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ResourceSelector is an optional selector for policy results that apply to multiple resources.
|
|
For example, a policy result may apply to all pods that match a label.
|
|
Either a Resource or a ResourceSelector can be specified. If neither are provided, the
|
|
result is assumed to be for the policy report scope.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>message</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Message is a short user friendly description of the policy rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>status</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyStatus">
|
|
PolicyStatus
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Status indicates the result of the policy rule check</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scored</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Scored indicates if this policy rule is scored</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>data</code></br>
|
|
<em>
|
|
map[string]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Data provides additional information for the policy rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>category</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Category indicates policy category</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>severity</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicySeverity">
|
|
PolicySeverity
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Severity indicates policy severity</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha1.PolicyReportSummary">PolicyReportSummary
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.ClusterPolicyReport">ClusterPolicyReport</a>,
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReport">PolicyReport</a>,
|
|
<a href="#kyverno.io/v1alpha1.ClusterReportChangeRequest">ClusterReportChangeRequest</a>,
|
|
<a href="#kyverno.io/v1alpha1.ReportChangeRequest">ReportChangeRequest</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicyReportSummary provides a status count summary</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>pass</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Pass provides the count of policies whose requirements were met</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>fail</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Fail provides the count of policies whose requirements were not met</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>warn</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Warn provides the count of unscored policies whose requirements were not met</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>error</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Error provides the count of policies that could not be evaluated</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>skip</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Skip indicates the count of policies that were not selected for evaluation</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha1.PolicySeverity">PolicySeverity
|
|
(<code>string</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportResult">PolicyReportResult</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicySeverity has one of the following values:
|
|
- high
|
|
- low
|
|
- medium</p>
|
|
</p>
|
|
<h3 id="wgpolicyk8s.io/v1alpha1.PolicyStatus">PolicyStatus
|
|
(<code>string</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha1.PolicyReportResult">PolicyReportResult</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicyStatus has one of the following values:
|
|
- pass: indicates that the policy requirements are met
|
|
- fail: indicates that the policy requirements are not met
|
|
- warn: indicates that the policy requirements and not met, and the policy is not scored
|
|
- error: indicates that the policy could not be evaluated
|
|
- skip: indicates that the policy was not selected based on user inputs or applicability</p>
|
|
</p>
|
|
<h2 id="wgpolicyk8s.io/v1alpha2">wgpolicyk8s.io/v1alpha2</h2>
|
|
<p>
|
|
<p>Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group</p>
|
|
</p>
|
|
Resource Types:
|
|
<ul><li>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.ClusterPolicyReport">ClusterPolicyReport</a>
|
|
</li><li>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReport">PolicyReport</a>
|
|
</li></ul>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha2.ClusterPolicyReport">ClusterPolicyReport
|
|
</h3>
|
|
<p>
|
|
<p>ClusterPolicyReport is the Schema for the clusterpolicyreports API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>apiVersion</code></br>
|
|
string</td>
|
|
<td>
|
|
<code>
|
|
wgpolicyk8s.io/v1alpha2
|
|
</code>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>kind</code></br>
|
|
string
|
|
</td>
|
|
<td><code>ClusterPolicyReport</code></td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha2.PolicyReport">PolicyReport
|
|
</h3>
|
|
<p>
|
|
<p>PolicyReport is the Schema for the policyreports API</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>apiVersion</code></br>
|
|
string</td>
|
|
<td>
|
|
<code>
|
|
wgpolicyk8s.io/v1alpha2
|
|
</code>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>kind</code></br>
|
|
string
|
|
</td>
|
|
<td><code>PolicyReport</code></td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>metadata</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta">
|
|
Kubernetes meta/v1.ObjectMeta
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
Refer to the Kubernetes API documentation for the fields of the
|
|
<code>metadata</code> field.
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scope</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scopeSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>summary</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportSummary">
|
|
PolicyReportSummary
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportSummary provides a summary of results</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>results</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportResult">
|
|
[]PolicyReportResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>PolicyReportResult provides result details</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha2.PolicyReportResult">PolicyReportResult
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.ClusterPolicyReport">ClusterPolicyReport</a>,
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReport">PolicyReport</a>,
|
|
<a href="#kyverno.io/v1alpha2.ClusterReportChangeRequest">ClusterReportChangeRequest</a>,
|
|
<a href="#kyverno.io/v1alpha2.ReportChangeRequest">ReportChangeRequest</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicyReportResult provides the result for an individual policy</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>source</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Source is an identifier for the policy engine that manages this report</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>policy</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Policy is the name of the policy</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>rule</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Rule is the name of the policy rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resources</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectreference-v1-core">
|
|
[]Kubernetes core/v1.ObjectReference
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Resources is an optional reference to the resource checked by the policy and rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>resourceSelector</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#labelselector-v1-meta">
|
|
Kubernetes meta/v1.LabelSelector
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>ResourceSelector is an optional selector for policy results that apply to multiple resources.
|
|
For example, a policy result may apply to all pods that match a label.
|
|
Either a Resource or a ResourceSelector can be specified. If neither are provided, the
|
|
result is assumed to be for the policy report scope.</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>message</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Message is a short user friendly description of the policy rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>result</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyResult">
|
|
PolicyResult
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Result indicates the outcome of the policy rule execution</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>scored</code></br>
|
|
<em>
|
|
bool
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Scored indicates if this policy rule is scored</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>properties</code></br>
|
|
<em>
|
|
map[string]string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Properties provides additional information for the policy rule</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>timestamp</code></br>
|
|
<em>
|
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#timestamp-v1-meta">
|
|
Kubernetes meta/v1.Timestamp
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<p>Timestamp indicates the time the result was found</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>category</code></br>
|
|
<em>
|
|
string
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Category indicates policy category</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>severity</code></br>
|
|
<em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicySeverity">
|
|
PolicySeverity
|
|
</a>
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Severity indicates policy severity</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha2.PolicyReportSummary">PolicyReportSummary
|
|
</h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.ClusterPolicyReport">ClusterPolicyReport</a>,
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReport">PolicyReport</a>,
|
|
<a href="#kyverno.io/v1alpha2.ClusterReportChangeRequest">ClusterReportChangeRequest</a>,
|
|
<a href="#kyverno.io/v1alpha2.ReportChangeRequest">ReportChangeRequest</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicyReportSummary provides a status count summary</p>
|
|
</p>
|
|
<table class="table table-striped">
|
|
<thead class="thead-dark">
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<code>pass</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Pass provides the count of policies whose requirements were met</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>fail</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Fail provides the count of policies whose requirements were not met</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>warn</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Warn provides the count of unscored policies whose requirements were not met</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>error</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Error provides the count of policies that could not be evaluated</p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<code>skip</code></br>
|
|
<em>
|
|
int
|
|
</em>
|
|
</td>
|
|
<td>
|
|
<em>(Optional)</em>
|
|
<p>Skip indicates the count of policies that were not selected for evaluation</p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<hr />
|
|
<h3 id="wgpolicyk8s.io/v1alpha2.PolicyResult">PolicyResult
|
|
(<code>string</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportResult">PolicyReportResult</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicyResult has one of the following values:
|
|
- pass: indicates that the policy requirements are met
|
|
- fail: indicates that the policy requirements are not met
|
|
- warn: indicates that the policy requirements and not met, and the policy is not scored
|
|
- error: indicates that the policy could not be evaluated
|
|
- skip: indicates that the policy was not selected based on user inputs or applicability</p>
|
|
</p>
|
|
<h3 id="wgpolicyk8s.io/v1alpha2.PolicySeverity">PolicySeverity
|
|
(<code>string</code> alias)</p></h3>
|
|
<p>
|
|
(<em>Appears on:</em>
|
|
<a href="#wgpolicyk8s.io/v1alpha2.PolicyReportResult">PolicyReportResult</a>)
|
|
</p>
|
|
<p>
|
|
<p>PolicySeverity has one of the following values:
|
|
- high
|
|
- low
|
|
- medium</p>
|
|
</p>
|
|
</div>
|
|
<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
|
|
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
|
|
</body>
|
|
</html>
|