mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-07 00:17:13 +00:00
747 lines
No EOL
24 KiB
YAML
Executable file
747 lines
No EOL
24 KiB
YAML
Executable file
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: clusterpolicies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
versions:
|
|
- name: v1
|
|
served: true
|
|
storage: true
|
|
scope: Cluster
|
|
names:
|
|
kind: ClusterPolicy
|
|
plural: clusterpolicies
|
|
singular: clusterpolicy
|
|
shortNames:
|
|
- cpol
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
status: {}
|
|
spec:
|
|
required:
|
|
- rules
|
|
properties:
|
|
# default values to be handled by user
|
|
validationFailureAction:
|
|
type: string
|
|
enum:
|
|
- enforce # blocks the resorce api-reques if a rule fails.
|
|
- audit # allows resource creation and reports the failed validation rules as violations. Default
|
|
background:
|
|
type: boolean
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- name
|
|
- match
|
|
properties:
|
|
name:
|
|
type: string
|
|
match:
|
|
type: object
|
|
required:
|
|
- resources
|
|
properties:
|
|
roles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
clusterRoles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
subjects:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
kind:
|
|
type: string
|
|
apiGroup:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
resources:
|
|
type: object
|
|
minProperties: 1
|
|
properties:
|
|
kinds:
|
|
type: array
|
|
items:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespaces:
|
|
type: array
|
|
items:
|
|
type: string
|
|
annotations:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
selector:
|
|
properties:
|
|
matchLabels:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
matchExpressions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key
|
|
- operator
|
|
properties:
|
|
key:
|
|
type: string
|
|
operator:
|
|
type: string
|
|
values:
|
|
type: array
|
|
items:
|
|
type: string
|
|
exclude:
|
|
type: object
|
|
properties:
|
|
roles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
clusterRoles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
subjects:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
kind:
|
|
type: string
|
|
apiGroup:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
resources:
|
|
type: object
|
|
properties:
|
|
kinds:
|
|
type: array
|
|
items:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespaces:
|
|
type: array
|
|
items:
|
|
type: string
|
|
annotations:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
selector:
|
|
properties:
|
|
matchLabels:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
matchExpressions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key
|
|
- operator
|
|
properties:
|
|
key:
|
|
type: string
|
|
operator:
|
|
type: string
|
|
values:
|
|
type: array
|
|
items:
|
|
type: string
|
|
preconditions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key # can be of any type
|
|
- operator # typed
|
|
- value # can be of any type
|
|
mutate:
|
|
type: object
|
|
properties:
|
|
overlay: {}
|
|
patchStrategicMerge: {}
|
|
patchesJson6902:
|
|
type: string
|
|
patches:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- path
|
|
- op
|
|
properties:
|
|
path:
|
|
type: string
|
|
op:
|
|
type: string
|
|
enum:
|
|
- add
|
|
- replace
|
|
- remove
|
|
value: {}
|
|
validate:
|
|
type: object
|
|
properties:
|
|
message:
|
|
type: string
|
|
pattern: {}
|
|
anyPattern: {}
|
|
deny:
|
|
properties:
|
|
conditions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key # can be of any type
|
|
- operator # typed
|
|
- value # can be of any type
|
|
properties:
|
|
operator:
|
|
type: string
|
|
enum:
|
|
- Equal
|
|
- Equals
|
|
- NotEqual
|
|
- NotEquals
|
|
- In
|
|
- NotIn
|
|
key:
|
|
type: string
|
|
value:
|
|
anyOf:
|
|
- type: string
|
|
- type: array
|
|
items: {}
|
|
generate:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
apiVersion:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
synchronize:
|
|
type: boolean
|
|
clone:
|
|
type: object
|
|
required:
|
|
- namespace
|
|
- name
|
|
properties:
|
|
namespace:
|
|
type: string
|
|
name:
|
|
type: string
|
|
data: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: policies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
versions:
|
|
- name: v1
|
|
served: true
|
|
storage: true
|
|
scope: Namespaced
|
|
names:
|
|
kind: Policy
|
|
plural: policies
|
|
singular: policy
|
|
shortNames:
|
|
- pol
|
|
subresources:
|
|
status: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
status: {}
|
|
spec:
|
|
required:
|
|
- rules
|
|
properties:
|
|
# default values to be handled by user
|
|
validationFailureAction:
|
|
type: string
|
|
enum:
|
|
- enforce # blocks the resorce api-reques if a rule fails.
|
|
- audit # allows resource creation and reports the failed validation rules as violations. Default
|
|
background:
|
|
type: boolean
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- name
|
|
- match
|
|
properties:
|
|
name:
|
|
type: string
|
|
match:
|
|
type: object
|
|
required:
|
|
- resources
|
|
properties:
|
|
roles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
clusterRoles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
subjects:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
kind:
|
|
type: string
|
|
apiGroup:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
resources:
|
|
type: object
|
|
minProperties: 1
|
|
properties:
|
|
kinds:
|
|
type: array
|
|
items:
|
|
type: string
|
|
name:
|
|
type: string
|
|
selector:
|
|
properties:
|
|
matchLabels:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
matchExpressions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key
|
|
- operator
|
|
properties:
|
|
key:
|
|
type: string
|
|
operator:
|
|
type: string
|
|
values:
|
|
type: array
|
|
items:
|
|
type: string
|
|
exclude:
|
|
type: object
|
|
properties:
|
|
roles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
clusterRoles:
|
|
type: array
|
|
items:
|
|
type: string
|
|
subjects:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
kind:
|
|
type: string
|
|
apiGroup:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
resources:
|
|
type: object
|
|
properties:
|
|
kinds:
|
|
type: array
|
|
items:
|
|
type: string
|
|
name:
|
|
type: string
|
|
selector:
|
|
properties:
|
|
matchLabels:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
matchExpressions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key
|
|
- operator
|
|
properties:
|
|
key:
|
|
type: string
|
|
operator:
|
|
type: string
|
|
values:
|
|
type: array
|
|
items:
|
|
type: string
|
|
preconditions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key # can be of any type
|
|
- operator # typed
|
|
- value # can be of any type
|
|
mutate:
|
|
type: object
|
|
properties:
|
|
overlay:
|
|
AnyValue: {}
|
|
patchStrategicMerge:
|
|
AnyValue: {}
|
|
patchesJson6902:
|
|
type: string
|
|
patches:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- path
|
|
- op
|
|
properties:
|
|
path:
|
|
type: string
|
|
op:
|
|
type: string
|
|
enum:
|
|
- add
|
|
- replace
|
|
- remove
|
|
value:
|
|
AnyValue: {}
|
|
validate:
|
|
type: object
|
|
properties:
|
|
message:
|
|
type: string
|
|
pattern:
|
|
AnyValue: {}
|
|
anyPattern:
|
|
AnyValue: {}
|
|
deny:
|
|
properties:
|
|
conditions:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- key # can be of any type
|
|
- operator # typed
|
|
- value # can be of any type
|
|
properties:
|
|
operator:
|
|
type: string
|
|
enum:
|
|
- Equal
|
|
- Equals
|
|
- NotEqual
|
|
- NotEquals
|
|
- In
|
|
- NotIn
|
|
key:
|
|
type: string
|
|
value:
|
|
anyOf:
|
|
- type: string
|
|
- type: array
|
|
items: {}
|
|
generate:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
apiVersion:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
synchronize:
|
|
type: boolean
|
|
clone:
|
|
type: object
|
|
required:
|
|
- namespace
|
|
- name
|
|
properties:
|
|
namespace:
|
|
type: string
|
|
name:
|
|
type: string
|
|
data:
|
|
AnyValue: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: clusterpolicyviolations.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
versions:
|
|
- name: v1
|
|
served: true
|
|
storage: true
|
|
scope: Cluster
|
|
names:
|
|
kind: ClusterPolicyViolation
|
|
plural: clusterpolicyviolations
|
|
singular: clusterpolicyviolation
|
|
shortNames:
|
|
- cpolv
|
|
subresources:
|
|
status: {}
|
|
additionalPrinterColumns:
|
|
- name: Policy
|
|
type: string
|
|
description: The policy that resulted in the violation
|
|
JSONPath: .spec.policy
|
|
- name: ResourceKind
|
|
type: string
|
|
description: The resource kind that cause the violation
|
|
JSONPath: .spec.resource.kind
|
|
- name: ResourceName
|
|
type: string
|
|
description: The resource name that caused the violation
|
|
JSONPath: .spec.resource.name
|
|
- name: Age
|
|
type: date
|
|
JSONPath: .metadata.creationTimestamp
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
required:
|
|
- policy
|
|
- resource
|
|
- rules
|
|
properties:
|
|
policy:
|
|
type: string
|
|
resource:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- name
|
|
- type
|
|
- message
|
|
properties:
|
|
name:
|
|
type: string
|
|
type:
|
|
type: string
|
|
message:
|
|
type: string
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: policyviolations.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
versions:
|
|
- name: v1
|
|
served: true
|
|
storage: true
|
|
scope: Namespaced
|
|
names:
|
|
kind: PolicyViolation
|
|
plural: policyviolations
|
|
singular: policyviolation
|
|
shortNames:
|
|
- polv
|
|
subresources:
|
|
status: {}
|
|
additionalPrinterColumns:
|
|
- name: Policy
|
|
type: string
|
|
description: The policy that resulted in the violation
|
|
JSONPath: .spec.policy
|
|
- name: ResourceKind
|
|
type: string
|
|
description: The resource kind that cause the violation
|
|
JSONPath: .spec.resource.kind
|
|
- name: ResourceName
|
|
type: string
|
|
description: The resource name that caused the violation
|
|
JSONPath: .spec.resource.name
|
|
- name: Age
|
|
type: date
|
|
JSONPath: .metadata.creationTimestamp
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
required:
|
|
- policy
|
|
- resource
|
|
- rules
|
|
properties:
|
|
policy:
|
|
type: string
|
|
resource:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- name
|
|
- type
|
|
- message
|
|
properties:
|
|
name:
|
|
type: string
|
|
type:
|
|
type: string
|
|
message:
|
|
type: string
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: generaterequests.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
versions:
|
|
- name: v1
|
|
served: true
|
|
storage: true
|
|
scope: Namespaced
|
|
names:
|
|
kind: GenerateRequest
|
|
plural: generaterequests
|
|
singular: generaterequest
|
|
shortNames:
|
|
- gr
|
|
subresources:
|
|
status: {}
|
|
additionalPrinterColumns:
|
|
- name: Policy
|
|
type: string
|
|
description: The policy that resulted in the violation
|
|
JSONPath: .spec.policy
|
|
- name: ResourceKind
|
|
type: string
|
|
description: The resource kind that cause the violation
|
|
JSONPath: .spec.resource.kind
|
|
- name: ResourceName
|
|
type: string
|
|
description: The resource name that caused the violation
|
|
JSONPath: .spec.resource.name
|
|
- name: ResourceNamespace
|
|
type: string
|
|
description: The resource namespace that caused the violation
|
|
JSONPath: .spec.resource.namespace
|
|
- name: status
|
|
type : string
|
|
description: Current state of generate request
|
|
JSONPath: .status.state
|
|
- name: Age
|
|
type: date
|
|
JSONPath: .metadata.creationTimestamp
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
spec:
|
|
required:
|
|
- policy
|
|
- resource
|
|
properties:
|
|
policy:
|
|
type: string
|
|
resource:
|
|
type: object
|
|
required:
|
|
- kind
|
|
- name
|
|
properties:
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string |