mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
9e9e119f83
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
7804 lines
433 KiB
YAML
7804 lines
433 KiB
YAML
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: clusterpolicies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: ClusterPolicy
|
|
listKind: ClusterPolicyList
|
|
plural: clusterpolicies
|
|
shortNames:
|
|
- cpol
|
|
singular: clusterpolicy
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.background
|
|
name: Background
|
|
type: string
|
|
- jsonPath: .spec.validationFailureAction
|
|
name: Action
|
|
type: string
|
|
- jsonPath: .spec.failurePolicy
|
|
name: Failure Policy
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.ready
|
|
name: Ready
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterPolicy declares validation, mutation, and generation behaviors
|
|
for matching resources.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
background:
|
|
description: Background controls if rules are applied to existing
|
|
resources during a background scan. Optional. Default value is "true".
|
|
The value must be set to "false" if the policy rule uses variables
|
|
that are only available in the admission review request (e.g. user
|
|
name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: FailurePolicy defines how unrecognized errors from the
|
|
admission endpoint are handled. Rules within the same policy share
|
|
the same failure behavior. Allowed values are Ignore or Fail. Defaults
|
|
to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExistingOnPolicyUpdate:
|
|
description: GenerateExistingOnPolicyUpdate controls wether to trigger
|
|
generate rule in existing resources If is set to "true" generate
|
|
rule will be triggered and applied to existing matched resources.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
|
policy is applied on policy events. Default value is "false".
|
|
type: boolean
|
|
rules:
|
|
description: Rules is a list of Rule instances. A Policy contains
|
|
multiple rules and each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: Rule defines a validation, mutation, or generation
|
|
control for matching resources. Each rules contains a match declaration
|
|
to select resources, and an optional exclude declaration to specify
|
|
which resources to exclude.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data sources
|
|
to a rule Context. Either a ConfigMap reference or a APILookup
|
|
must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall defines an HTTP request to the Kubernetes
|
|
API server. The JSON data retrieved is stored in the
|
|
context.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the JSON response
|
|
returned from the API server. For example a JMESPath
|
|
of "items | length(@)" applied to the API server
|
|
response to the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments across
|
|
all namespaces.
|
|
type: string
|
|
urlPath:
|
|
description: URLPath is the URL path to be used in
|
|
the HTTP GET request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the
|
|
`kubectl get --raw` command.
|
|
type: string
|
|
required:
|
|
- urlPath
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests to an OCI/Docker
|
|
V2 registry to fetch image details.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the ImageData struct
|
|
returned as a result of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference to a container
|
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary JSON
|
|
object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath Expression
|
|
that can be used to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: ExcludeResources defines when this policy rule
|
|
should not be applied. The exclude criteria can include resource
|
|
information (e.g. kind, name, namespace, labels) and admission
|
|
review request information like the name or role.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified. Requires at least
|
|
one tag to be specified when under MatchResources. Specifying
|
|
ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (key-value
|
|
pairs of type string). Annotation keys and values
|
|
support the wildcard characters "*" (matches zero
|
|
or many characters) and "?" (matches at least one
|
|
character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource. The
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources. Each
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*`
|
|
(matches zero or many characters) and `?` (matches
|
|
one character).Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label keys
|
|
and values in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?` (matches
|
|
one character). Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: Clone specifies the source resource used to
|
|
populate each generated resource. At most one of Data
|
|
or Clone can be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
data:
|
|
description: Data provides the resource declaration used
|
|
to populate each generated resource. At most one of Data
|
|
or Clone must be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
synchronize:
|
|
description: Synchronize controls if generated resources
|
|
should be kept in-sync with their source resource. If
|
|
Synchronize is set to "true" changes to generated resources
|
|
will be overwritten with resource data from Data or the
|
|
resource specified in the Clone declaration. Optional.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is an optional name of the field within
|
|
'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: Name is the entry the image will be available
|
|
under 'images.<name>' in the context. If this field
|
|
is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: Path is the path to the object containing
|
|
the image field in a custom resource. It should be
|
|
slash-separated. Each slash-separated key must be
|
|
a valid YAML key or a wildcard '*'. Wildcard keys
|
|
are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: Value is an optional name of the field
|
|
within 'path' that points to the image URI. This is
|
|
useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: ImageExtractors defines a mapping from kinds to
|
|
ImageExtractorConfigs. This config is only valid for verifyImages
|
|
rules.
|
|
type: object
|
|
match:
|
|
description: MatchResources defines when this policy rule should
|
|
be applied. The match criteria can include resource information
|
|
(e.g. kind, name, namespace, labels) and admission review
|
|
request information like the user name or role. At least one
|
|
kind is required.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified. Requires at least
|
|
one tag to be specified when under MatchResources. Specifying
|
|
ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (key-value
|
|
pairs of type string). Annotation keys and values
|
|
support the wildcard characters "*" (matches zero
|
|
or many characters) and "?" (matches at least one
|
|
character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource. The
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources. Each
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*`
|
|
(matches zero or many characters) and `?` (matches
|
|
one character).Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label keys
|
|
and values in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?` (matches
|
|
one character). Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall defines an HTTP request
|
|
to the Kubernetes API server. The JSON data
|
|
retrieved is stored in the context.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the API
|
|
server. For example a JMESPath of "items
|
|
| length(@)" applied to the API server
|
|
response to the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command.
|
|
type: string
|
|
required:
|
|
- urlPath
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge
|
|
patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902
|
|
JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge patch
|
|
used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
|
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of conditions.
|
|
The declaration can contain nested `any` or `all` statements.
|
|
A direct list of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation patterns.
|
|
At least one of the patterns must be satisfied for the
|
|
validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared under
|
|
an `any` or `all` statement. A direct list of conditions
|
|
(without `any` or `all` statements) is also supported
|
|
for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must be satisfied
|
|
for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall defines an HTTP request
|
|
to the Kubernetes API server. The JSON data
|
|
retrieved is stored in the context.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the API
|
|
server. For example a JMESPath of "items
|
|
| length(@)" applied to the API server
|
|
response to the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command.
|
|
type: string
|
|
required:
|
|
- urlPath
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct
|
|
list of conditions (without `any` or `all` statements)
|
|
is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: ElementScope specifies whether to use
|
|
the current list element as the scope for validation.
|
|
Defaults to "true" if not specified. When set to
|
|
"false", "request.object" is used as the validation
|
|
scope within the foreach block to allow referencing
|
|
other elements in the subtree.
|
|
type: boolean
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: ImageVerification validates that images that
|
|
match the specified pattern are signed with the supplied
|
|
public key. Once the image is verified it is mutated to
|
|
include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are certificate-extensions
|
|
used for keyless signing. Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match
|
|
in the verified payload. The payload may contain other
|
|
key-value pairs. Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: Attestations are optional checks for signed
|
|
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
|
|
Kyverno fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: Attestation are checks for signed in-toto
|
|
Statements that are used to verify the image. See
|
|
https://github.com/in-toto/attestation. Kyverno fetches
|
|
signed attestations from the OCI registry and decodes
|
|
them into a list of Statements.
|
|
properties:
|
|
conditions:
|
|
description: Conditions are used to verify attributes
|
|
within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there
|
|
are predicates that match the predicate type.
|
|
items:
|
|
description: AnyAllConditions consists of conditions
|
|
wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one
|
|
of its sub-conditions passes. AllConditions
|
|
get fulfilled only when all of its sub-conditions
|
|
pass.
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: PredicateType defines the type of Predicate
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is null,
|
|
all entries must match (a logical AND). If the
|
|
count is 1, at least one entry must match (a logical
|
|
OR). If the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available attestors.
|
|
An attestor can be a static key, attributes for
|
|
keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image
|
|
verification. Every specified key-value
|
|
pair must exist and match in the verified
|
|
payload. The payload may contain other key-value
|
|
pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of match
|
|
authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If the value is nil, Rekor is not checked.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If the value is nil, Rekor is not checked
|
|
and a root certificate chain is expected
|
|
instead. If an empty object is provided
|
|
the public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional set
|
|
of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are
|
|
used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys
|
|
properties:
|
|
publicKeys:
|
|
description: Keys is a set of X.509 public
|
|
keys used to verify image signatures.
|
|
The keys can be directly specified or
|
|
can be a variable reference to a key
|
|
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
|
|
When multiple keys are specified each
|
|
key is processed as a separate staticKey
|
|
entry (.attestors[*].entries.keys) within
|
|
the set of attestors and the count is
|
|
applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If the value is nil, Rekor is not checked.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for signatures and
|
|
attestations that match this rule. If specified
|
|
Repository will override other OCI image
|
|
repository locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
image:
|
|
description: 'Image is the image name consisting of the
|
|
registry address, repository, image, and tag. Wildcards
|
|
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
Deprecated. Use ImageReferences instead.'
|
|
type: string
|
|
imageReferences:
|
|
description: 'ImageReferences is a list of matching image
|
|
reference patterns. At least one pattern in the list
|
|
must match the image for the rule to apply. Each image
|
|
reference consists of a registry address (defaults to
|
|
docker.io), repository, image, and tag (defaults to
|
|
latest). Wildcards (''*'' and ''?'') are allowed. See:
|
|
https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
issuer:
|
|
description: Issuer is the certificate issuer used for
|
|
keyless signing. Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Key is the PEM encoded public key that the
|
|
image or attestation is signed with. Deprecated. Use
|
|
StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: MutateDigest enables replacement of image
|
|
tags with digests. Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: Repository is an optional alternate OCI repository
|
|
to use for image signatures and attestations that match
|
|
this rule. If specified Repository will override the
|
|
default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or
|
|
Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Roots is the PEM encoded Root certificate
|
|
chain used for keyless signing Deprecated. Use KeylessAttestor
|
|
instead.
|
|
type: string
|
|
subject:
|
|
description: Subject is the identity used for keyless
|
|
signing, for example an email address Deprecated. Use
|
|
KeylessAttestor instead.
|
|
type: string
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: SchemaValidation skips policy validation checks. Optional.
|
|
The default value is set to "true", it must be set to "false" to
|
|
disable the validation checks.
|
|
type: boolean
|
|
validationFailureAction:
|
|
description: ValidationFailureAction controls if a validation policy
|
|
rule failure should disallow the admission review request (enforce),
|
|
or allow (audit) the admission review request and report an error
|
|
in a policy report. Optional. The default value is "audit".
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: ValidationFailureActionOverrides is a Cluster Policy
|
|
attribute that specifies ValidationFailureAction namespace-wise.
|
|
It overrides ValidationFailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
type: string
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookTimeoutSeconds:
|
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
|
allowed to apply this policy. After the configured time expires,
|
|
the admission request may fail, or may simply ignore the policy
|
|
results, based on the failure policy. The default timeout is 10s,
|
|
the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
conditions:
|
|
description: Conditions is a list of conditions that apply to the
|
|
policy
|
|
items:
|
|
description: "Condition contains details for one aspect of the current
|
|
state of this API Resource. --- This struct is intended for direct
|
|
use as an array at the field path .status.conditions. For example,
|
|
type FooStatus struct{ // Represents the observations of a foo's
|
|
current state. // Known .status.conditions.type are: \"Available\",
|
|
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
|
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
|
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
|
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Ready indicates if the policy is ready to serve the admission
|
|
request. Deprecated in favor of Conditions
|
|
type: boolean
|
|
required:
|
|
- ready
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: clusterpolicyreports.wgpolicyk8s.io
|
|
spec:
|
|
group: wgpolicyk8s.io
|
|
names:
|
|
kind: ClusterPolicyReport
|
|
listKind: ClusterPolicyReportList
|
|
plural: clusterpolicyreports
|
|
shortNames:
|
|
- cpolr
|
|
singular: clusterpolicyreport
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .scope.kind
|
|
name: Kind
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .scope.name
|
|
name: Name
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterPolicyReport is the Schema for the clusterpolicyreports
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Message is a short user friendly description of the
|
|
policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for the
|
|
policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: ResourceSelector is an optional selector for policy
|
|
results that apply to multiple resources. For example, a policy
|
|
result may apply to all pods that match a label. Either a Resource
|
|
or a ResourceSelector can be specified. If neither are provided,
|
|
the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that
|
|
contains values, a key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn, Exists
|
|
and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the
|
|
operator is In or NotIn, the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist, the values
|
|
array must be empty. This array is replaced during a
|
|
strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single
|
|
{key,value} in the matchLabels map is equivalent to an element
|
|
of matchExpressions, whose key field is "key", the operator
|
|
is "In", and the values array contains only "value". The requirements
|
|
are ANDed.
|
|
type: object
|
|
type: object
|
|
resources:
|
|
description: Resources is an optional reference to the resource
|
|
checked by the policy and rule
|
|
items:
|
|
description: 'ObjectReference contains enough information to let
|
|
you inspect or modify the referred object. --- New uses of this
|
|
type are discouraged because of difficulty describing its usage
|
|
when embedded in APIs. 1. Ignored fields. It includes many
|
|
fields which are not generally honored. For instance, ResourceVersion
|
|
and FieldPath are both very rarely valid in actual usage. 2.
|
|
Invalid usage help. It is impossible to add specific help for
|
|
individual usage. In most embedded usages, there are particular
|
|
restrictions like, "must refer only to types A and B" or "UID
|
|
not honored" or "name must be restricted". Those cannot be well
|
|
described when embedded. 3. Inconsistent validation. Because
|
|
the usages are different, the validation rules are different
|
|
by usage, which makes it hard for users to predict what will
|
|
happen. 4. The fields are both imprecise and overly precise. Kind
|
|
is not a precise mapping to a URL. This can produce ambiguity
|
|
during interpretation and require a REST mapping. In most cases,
|
|
the dependency is on the group,resource tuple and the version
|
|
of the actual struct is irrelevant. 5. We cannot easily change
|
|
it. Because this type is embedded in many locations, updates
|
|
to this type will affect numerous schemas. Don''t make new
|
|
APIs embed an underspecified API type they do not control. Instead
|
|
of using this type, create a locally provided and used type
|
|
that is well-focused on your reference. For example, ServiceReferences
|
|
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
.'
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead
|
|
of an entire object, this string should contain a valid
|
|
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within
|
|
a pod, this would take on a value like: "spec.containers{name}"
|
|
(where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]"
|
|
(container with index 2 in this pod). This syntax is chosen
|
|
only to have some well-defined way of referencing a part
|
|
of an object. TODO: this design is not final and this field
|
|
is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference
|
|
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name of the policy rule
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this policy rule is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy severity
|
|
enum:
|
|
- high
|
|
- low
|
|
- medium
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: Non-negative fractions of a second at nanosecond
|
|
resolution. Negative second values with fractions must still
|
|
have non-negative nanos values that count forward in time.
|
|
Must be from 0 to 999,999,999 inclusive. This field may be
|
|
limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
scope:
|
|
description: Scope is an optional reference to the report scope (e.g.
|
|
a Deployment, Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead of an entire
|
|
object, this string should contain a valid JSON/Go field access
|
|
statement, such as desiredState.manifest.containers[2]. For example,
|
|
if the object reference is to a container within a pod, this would
|
|
take on a value like: "spec.containers{name}" (where "name" refers
|
|
to the name of the container that triggered the event) or if no
|
|
container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined
|
|
way of referencing a part of an object. TODO: this design is not
|
|
final and this field is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference is
|
|
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
scopeSelector:
|
|
description: ScopeSelector is an optional selector for multiple scopes
|
|
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
should be specified.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains
|
|
values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set
|
|
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator
|
|
is In or NotIn, the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the values array must
|
|
be empty. This array is replaced during a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In", and the values array
|
|
contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not be
|
|
evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not selected
|
|
for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of unscored policies whose requirements
|
|
were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: clusterreportchangerequests.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: ClusterReportChangeRequest
|
|
listKind: ClusterReportChangeRequestList
|
|
plural: clusterreportchangerequests
|
|
shortNames:
|
|
- crcr
|
|
singular: clusterreportchangerequest
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .scope.kind
|
|
name: Kind
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .scope.name
|
|
name: Name
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Message is a short user friendly description of the
|
|
policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for the
|
|
policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: ResourceSelector is an optional selector for policy
|
|
results that apply to multiple resources. For example, a policy
|
|
result may apply to all pods that match a label. Either a Resource
|
|
or a ResourceSelector can be specified. If neither are provided,
|
|
the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that
|
|
contains values, a key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn, Exists
|
|
and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the
|
|
operator is In or NotIn, the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist, the values
|
|
array must be empty. This array is replaced during a
|
|
strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single
|
|
{key,value} in the matchLabels map is equivalent to an element
|
|
of matchExpressions, whose key field is "key", the operator
|
|
is "In", and the values array contains only "value". The requirements
|
|
are ANDed.
|
|
type: object
|
|
type: object
|
|
resources:
|
|
description: Resources is an optional reference to the resource
|
|
checked by the policy and rule
|
|
items:
|
|
description: 'ObjectReference contains enough information to let
|
|
you inspect or modify the referred object. --- New uses of this
|
|
type are discouraged because of difficulty describing its usage
|
|
when embedded in APIs. 1. Ignored fields. It includes many
|
|
fields which are not generally honored. For instance, ResourceVersion
|
|
and FieldPath are both very rarely valid in actual usage. 2.
|
|
Invalid usage help. It is impossible to add specific help for
|
|
individual usage. In most embedded usages, there are particular
|
|
restrictions like, "must refer only to types A and B" or "UID
|
|
not honored" or "name must be restricted". Those cannot be well
|
|
described when embedded. 3. Inconsistent validation. Because
|
|
the usages are different, the validation rules are different
|
|
by usage, which makes it hard for users to predict what will
|
|
happen. 4. The fields are both imprecise and overly precise. Kind
|
|
is not a precise mapping to a URL. This can produce ambiguity
|
|
during interpretation and require a REST mapping. In most cases,
|
|
the dependency is on the group,resource tuple and the version
|
|
of the actual struct is irrelevant. 5. We cannot easily change
|
|
it. Because this type is embedded in many locations, updates
|
|
to this type will affect numerous schemas. Don''t make new
|
|
APIs embed an underspecified API type they do not control. Instead
|
|
of using this type, create a locally provided and used type
|
|
that is well-focused on your reference. For example, ServiceReferences
|
|
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
.'
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead
|
|
of an entire object, this string should contain a valid
|
|
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within
|
|
a pod, this would take on a value like: "spec.containers{name}"
|
|
(where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]"
|
|
(container with index 2 in this pod). This syntax is chosen
|
|
only to have some well-defined way of referencing a part
|
|
of an object. TODO: this design is not final and this field
|
|
is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference
|
|
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name of the policy rule
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this policy rule is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy severity
|
|
enum:
|
|
- high
|
|
- low
|
|
- medium
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: Non-negative fractions of a second at nanosecond
|
|
resolution. Negative second values with fractions must still
|
|
have non-negative nanos values that count forward in time.
|
|
Must be from 0 to 999,999,999 inclusive. This field may be
|
|
limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
scope:
|
|
description: Scope is an optional reference to the report scope (e.g.
|
|
a Deployment, Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead of an entire
|
|
object, this string should contain a valid JSON/Go field access
|
|
statement, such as desiredState.manifest.containers[2]. For example,
|
|
if the object reference is to a container within a pod, this would
|
|
take on a value like: "spec.containers{name}" (where "name" refers
|
|
to the name of the container that triggered the event) or if no
|
|
container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined
|
|
way of referencing a part of an object. TODO: this design is not
|
|
final and this field is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference is
|
|
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
scopeSelector:
|
|
description: ScopeSelector is an optional selector for multiple scopes
|
|
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
should be specified.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains
|
|
values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set
|
|
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator
|
|
is In or NotIn, the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the values array must
|
|
be empty. This array is replaced during a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In", and the values array
|
|
contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not be
|
|
evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not selected
|
|
for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of unscored policies whose requirements
|
|
were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: generaterequests.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: GenerateRequest
|
|
listKind: GenerateRequestList
|
|
plural: generaterequests
|
|
shortNames:
|
|
- gr
|
|
singular: generaterequest
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.policy
|
|
name: Policy
|
|
type: string
|
|
- jsonPath: .spec.resource.kind
|
|
name: ResourceKind
|
|
type: string
|
|
- jsonPath: .spec.resource.name
|
|
name: ResourceName
|
|
type: string
|
|
- jsonPath: .spec.resource.namespace
|
|
name: ResourceNamespace
|
|
type: string
|
|
- jsonPath: .status.state
|
|
name: status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: GenerateRequest is a request to process generate rule.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec is the information to identify the generate request.
|
|
properties:
|
|
context:
|
|
description: Context ...
|
|
properties:
|
|
admissionRequestInfo:
|
|
description: AdmissionRequestInfoObject stores the admission request
|
|
and operation details
|
|
properties:
|
|
admissionRequest:
|
|
type: string
|
|
operation:
|
|
description: Operation is the type of resource operation being
|
|
checked for admission control
|
|
type: string
|
|
type: object
|
|
userInfo:
|
|
description: RequestInfo contains permission info carried in an
|
|
admission request.
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is a list of possible clusterRoles
|
|
send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is a list of possible role send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
userInfo:
|
|
description: UserInfo is the userInfo carried in the admission
|
|
request.
|
|
properties:
|
|
extra:
|
|
additionalProperties:
|
|
description: ExtraValue masks the value so protobuf
|
|
can generate
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Any additional information provided by the
|
|
authenticator.
|
|
type: object
|
|
groups:
|
|
description: The names of groups this user is a part of.
|
|
items:
|
|
type: string
|
|
type: array
|
|
uid:
|
|
description: A unique value that identifies this user
|
|
across time. If this user is deleted and another user
|
|
by the same name is added, they will have different
|
|
UIDs.
|
|
type: string
|
|
username:
|
|
description: The name that uniquely identifies this user
|
|
among all active users.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
policy:
|
|
description: Specifies the name of the policy.
|
|
type: string
|
|
resource:
|
|
description: ResourceSpec is the information to identify the generate
|
|
request.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- context
|
|
- policy
|
|
- resource
|
|
type: object
|
|
status:
|
|
description: Status contains statistics related to generate request.
|
|
properties:
|
|
generatedResources:
|
|
description: This will track the resources that are generated by the
|
|
generate Policy. Will be used during clean up resources.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
message:
|
|
description: Specifies request status message.
|
|
type: string
|
|
state:
|
|
description: State represents state of the generate request.
|
|
type: string
|
|
required:
|
|
- state
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: policies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: Policy
|
|
listKind: PolicyList
|
|
plural: policies
|
|
shortNames:
|
|
- pol
|
|
singular: policy
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.background
|
|
name: Background
|
|
type: string
|
|
- jsonPath: .spec.validationFailureAction
|
|
name: Action
|
|
type: string
|
|
- jsonPath: .spec.failurePolicy
|
|
name: Failure Policy
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.ready
|
|
name: Ready
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: 'Policy declares validation, mutation, and generation behaviors
|
|
for matching resources. See: https://kyverno.io/docs/writing-policies/ for
|
|
more information.'
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec defines policy behaviors and contains one or more rules.
|
|
properties:
|
|
background:
|
|
description: Background controls if rules are applied to existing
|
|
resources during a background scan. Optional. Default value is "true".
|
|
The value must be set to "false" if the policy rule uses variables
|
|
that are only available in the admission review request (e.g. user
|
|
name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: FailurePolicy defines how unrecognized errors from the
|
|
admission endpoint are handled. Rules within the same policy share
|
|
the same failure behavior. Allowed values are Ignore or Fail. Defaults
|
|
to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExistingOnPolicyUpdate:
|
|
description: GenerateExistingOnPolicyUpdate controls wether to trigger
|
|
generate rule in existing resources If is set to "true" generate
|
|
rule will be triggered and applied to existing matched resources.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
|
policy is applied on policy events. Default value is "false".
|
|
type: boolean
|
|
rules:
|
|
description: Rules is a list of Rule instances. A Policy contains
|
|
multiple rules and each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: Rule defines a validation, mutation, or generation
|
|
control for matching resources. Each rules contains a match declaration
|
|
to select resources, and an optional exclude declaration to specify
|
|
which resources to exclude.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data sources
|
|
to a rule Context. Either a ConfigMap reference or a APILookup
|
|
must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall defines an HTTP request to the Kubernetes
|
|
API server. The JSON data retrieved is stored in the
|
|
context.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the JSON response
|
|
returned from the API server. For example a JMESPath
|
|
of "items | length(@)" applied to the API server
|
|
response to the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments across
|
|
all namespaces.
|
|
type: string
|
|
urlPath:
|
|
description: URLPath is the URL path to be used in
|
|
the HTTP GET request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the
|
|
`kubectl get --raw` command.
|
|
type: string
|
|
required:
|
|
- urlPath
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests to an OCI/Docker
|
|
V2 registry to fetch image details.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the ImageData struct
|
|
returned as a result of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference to a container
|
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary JSON
|
|
object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath Expression
|
|
that can be used to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: ExcludeResources defines when this policy rule
|
|
should not be applied. The exclude criteria can include resource
|
|
information (e.g. kind, name, namespace, labels) and admission
|
|
review request information like the name or role.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified. Requires at least
|
|
one tag to be specified when under MatchResources. Specifying
|
|
ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (key-value
|
|
pairs of type string). Annotation keys and values
|
|
support the wildcard characters "*" (matches zero
|
|
or many characters) and "?" (matches at least one
|
|
character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource. The
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources. Each
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*`
|
|
(matches zero or many characters) and `?` (matches
|
|
one character).Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label keys
|
|
and values in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?` (matches
|
|
one character). Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: Clone specifies the source resource used to
|
|
populate each generated resource. At most one of Data
|
|
or Clone can be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
data:
|
|
description: Data provides the resource declaration used
|
|
to populate each generated resource. At most one of Data
|
|
or Clone must be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
synchronize:
|
|
description: Synchronize controls if generated resources
|
|
should be kept in-sync with their source resource. If
|
|
Synchronize is set to "true" changes to generated resources
|
|
will be overwritten with resource data from Data or the
|
|
resource specified in the Clone declaration. Optional.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is an optional name of the field within
|
|
'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: Name is the entry the image will be available
|
|
under 'images.<name>' in the context. If this field
|
|
is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: Path is the path to the object containing
|
|
the image field in a custom resource. It should be
|
|
slash-separated. Each slash-separated key must be
|
|
a valid YAML key or a wildcard '*'. Wildcard keys
|
|
are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: Value is an optional name of the field
|
|
within 'path' that points to the image URI. This is
|
|
useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: ImageExtractors defines a mapping from kinds to
|
|
ImageExtractorConfigs. This config is only valid for verifyImages
|
|
rules.
|
|
type: object
|
|
match:
|
|
description: MatchResources defines when this policy rule should
|
|
be applied. The match criteria can include resource information
|
|
(e.g. kind, name, namespace, labels) and admission review
|
|
request information like the user name or role. At least one
|
|
kind is required.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified. Requires at least
|
|
one tag to be specified when under MatchResources. Specifying
|
|
ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (key-value
|
|
pairs of type string). Annotation keys and values
|
|
support the wildcard characters "*" (matches zero
|
|
or many characters) and "?" (matches at least one
|
|
character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource. The
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources. Each
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*`
|
|
(matches zero or many characters) and `?` (matches
|
|
one character).Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label keys
|
|
and values in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?` (matches
|
|
one character). Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall defines an HTTP request
|
|
to the Kubernetes API server. The JSON data
|
|
retrieved is stored in the context.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the API
|
|
server. For example a JMESPath of "items
|
|
| length(@)" applied to the API server
|
|
response to the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command.
|
|
type: string
|
|
required:
|
|
- urlPath
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge
|
|
patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902
|
|
JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge patch
|
|
used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
|
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of conditions.
|
|
The declaration can contain nested `any` or `all` statements.
|
|
A direct list of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation patterns.
|
|
At least one of the patterns must be satisfied for the
|
|
validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared under
|
|
an `any` or `all` statement. A direct list of conditions
|
|
(without `any` or `all` statements) is also supported
|
|
for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must be satisfied
|
|
for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall defines an HTTP request
|
|
to the Kubernetes API server. The JSON data
|
|
retrieved is stored in the context.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the API
|
|
server. For example a JMESPath of "items
|
|
| length(@)" applied to the API server
|
|
response to the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command.
|
|
type: string
|
|
required:
|
|
- urlPath
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct
|
|
list of conditions (without `any` or `all` statements)
|
|
is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: ElementScope specifies whether to use
|
|
the current list element as the scope for validation.
|
|
Defaults to "true" if not specified. When set to
|
|
"false", "request.object" is used as the validation
|
|
scope within the foreach block to allow referencing
|
|
other elements in the subtree.
|
|
type: boolean
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: ImageVerification validates that images that
|
|
match the specified pattern are signed with the supplied
|
|
public key. Once the image is verified it is mutated to
|
|
include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are certificate-extensions
|
|
used for keyless signing. Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match
|
|
in the verified payload. The payload may contain other
|
|
key-value pairs. Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: Attestations are optional checks for signed
|
|
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
|
|
Kyverno fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: Attestation are checks for signed in-toto
|
|
Statements that are used to verify the image. See
|
|
https://github.com/in-toto/attestation. Kyverno fetches
|
|
signed attestations from the OCI registry and decodes
|
|
them into a list of Statements.
|
|
properties:
|
|
conditions:
|
|
description: Conditions are used to verify attributes
|
|
within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there
|
|
are predicates that match the predicate type.
|
|
items:
|
|
description: AnyAllConditions consists of conditions
|
|
wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one
|
|
of its sub-conditions passes. AllConditions
|
|
get fulfilled only when all of its sub-conditions
|
|
pass.
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: PredicateType defines the type of Predicate
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is null,
|
|
all entries must match (a logical AND). If the
|
|
count is 1, at least one entry must match (a logical
|
|
OR). If the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available attestors.
|
|
An attestor can be a static key, attributes for
|
|
keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image
|
|
verification. Every specified key-value
|
|
pair must exist and match in the verified
|
|
payload. The payload may contain other key-value
|
|
pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of match
|
|
authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If the value is nil, Rekor is not checked.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If the value is nil, Rekor is not checked
|
|
and a root certificate chain is expected
|
|
instead. If an empty object is provided
|
|
the public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional set
|
|
of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are
|
|
used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys
|
|
properties:
|
|
publicKeys:
|
|
description: Keys is a set of X.509 public
|
|
keys used to verify image signatures.
|
|
The keys can be directly specified or
|
|
can be a variable reference to a key
|
|
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/).
|
|
When multiple keys are specified each
|
|
key is processed as a separate staticKey
|
|
entry (.attestors[*].entries.keys) within
|
|
the set of attestors and the count is
|
|
applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If the value is nil, Rekor is not checked.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for signatures and
|
|
attestations that match this rule. If specified
|
|
Repository will override other OCI image
|
|
repository locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
image:
|
|
description: 'Image is the image name consisting of the
|
|
registry address, repository, image, and tag. Wildcards
|
|
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
Deprecated. Use ImageReferences instead.'
|
|
type: string
|
|
imageReferences:
|
|
description: 'ImageReferences is a list of matching image
|
|
reference patterns. At least one pattern in the list
|
|
must match the image for the rule to apply. Each image
|
|
reference consists of a registry address (defaults to
|
|
docker.io), repository, image, and tag (defaults to
|
|
latest). Wildcards (''*'' and ''?'') are allowed. See:
|
|
https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
issuer:
|
|
description: Issuer is the certificate issuer used for
|
|
keyless signing. Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Key is the PEM encoded public key that the
|
|
image or attestation is signed with. Deprecated. Use
|
|
StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: MutateDigest enables replacement of image
|
|
tags with digests. Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: Repository is an optional alternate OCI repository
|
|
to use for image signatures and attestations that match
|
|
this rule. If specified Repository will override the
|
|
default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or
|
|
Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Roots is the PEM encoded Root certificate
|
|
chain used for keyless signing Deprecated. Use KeylessAttestor
|
|
instead.
|
|
type: string
|
|
subject:
|
|
description: Subject is the identity used for keyless
|
|
signing, for example an email address Deprecated. Use
|
|
KeylessAttestor instead.
|
|
type: string
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: SchemaValidation skips policy validation checks. Optional.
|
|
The default value is set to "true", it must be set to "false" to
|
|
disable the validation checks.
|
|
type: boolean
|
|
validationFailureAction:
|
|
description: ValidationFailureAction controls if a validation policy
|
|
rule failure should disallow the admission review request (enforce),
|
|
or allow (audit) the admission review request and report an error
|
|
in a policy report. Optional. The default value is "audit".
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: ValidationFailureActionOverrides is a Cluster Policy
|
|
attribute that specifies ValidationFailureAction namespace-wise.
|
|
It overrides ValidationFailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
type: string
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookTimeoutSeconds:
|
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
|
allowed to apply this policy. After the configured time expires,
|
|
the admission request may fail, or may simply ignore the policy
|
|
results, based on the failure policy. The default timeout is 10s,
|
|
the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime information. Deprecated. Policy
|
|
metrics are available via the metrics endpoint
|
|
properties:
|
|
conditions:
|
|
description: Conditions is a list of conditions that apply to the
|
|
policy
|
|
items:
|
|
description: "Condition contains details for one aspect of the current
|
|
state of this API Resource. --- This struct is intended for direct
|
|
use as an array at the field path .status.conditions. For example,
|
|
type FooStatus struct{ // Represents the observations of a foo's
|
|
current state. // Known .status.conditions.type are: \"Available\",
|
|
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
|
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
|
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
|
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Ready indicates if the policy is ready to serve the admission
|
|
request. Deprecated in favor of Conditions
|
|
type: boolean
|
|
required:
|
|
- ready
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: policyreports.wgpolicyk8s.io
|
|
spec:
|
|
group: wgpolicyk8s.io
|
|
names:
|
|
kind: PolicyReport
|
|
listKind: PolicyReportList
|
|
plural: policyreports
|
|
shortNames:
|
|
- polr
|
|
singular: policyreport
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .scope.kind
|
|
name: Kind
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .scope.name
|
|
name: Name
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: PolicyReport is the Schema for the policyreports API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Message is a short user friendly description of the
|
|
policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for the
|
|
policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: ResourceSelector is an optional selector for policy
|
|
results that apply to multiple resources. For example, a policy
|
|
result may apply to all pods that match a label. Either a Resource
|
|
or a ResourceSelector can be specified. If neither are provided,
|
|
the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that
|
|
contains values, a key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn, Exists
|
|
and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the
|
|
operator is In or NotIn, the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist, the values
|
|
array must be empty. This array is replaced during a
|
|
strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single
|
|
{key,value} in the matchLabels map is equivalent to an element
|
|
of matchExpressions, whose key field is "key", the operator
|
|
is "In", and the values array contains only "value". The requirements
|
|
are ANDed.
|
|
type: object
|
|
type: object
|
|
resources:
|
|
description: Resources is an optional reference to the resource
|
|
checked by the policy and rule
|
|
items:
|
|
description: 'ObjectReference contains enough information to let
|
|
you inspect or modify the referred object. --- New uses of this
|
|
type are discouraged because of difficulty describing its usage
|
|
when embedded in APIs. 1. Ignored fields. It includes many
|
|
fields which are not generally honored. For instance, ResourceVersion
|
|
and FieldPath are both very rarely valid in actual usage. 2.
|
|
Invalid usage help. It is impossible to add specific help for
|
|
individual usage. In most embedded usages, there are particular
|
|
restrictions like, "must refer only to types A and B" or "UID
|
|
not honored" or "name must be restricted". Those cannot be well
|
|
described when embedded. 3. Inconsistent validation. Because
|
|
the usages are different, the validation rules are different
|
|
by usage, which makes it hard for users to predict what will
|
|
happen. 4. The fields are both imprecise and overly precise. Kind
|
|
is not a precise mapping to a URL. This can produce ambiguity
|
|
during interpretation and require a REST mapping. In most cases,
|
|
the dependency is on the group,resource tuple and the version
|
|
of the actual struct is irrelevant. 5. We cannot easily change
|
|
it. Because this type is embedded in many locations, updates
|
|
to this type will affect numerous schemas. Don''t make new
|
|
APIs embed an underspecified API type they do not control. Instead
|
|
of using this type, create a locally provided and used type
|
|
that is well-focused on your reference. For example, ServiceReferences
|
|
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
.'
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead
|
|
of an entire object, this string should contain a valid
|
|
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within
|
|
a pod, this would take on a value like: "spec.containers{name}"
|
|
(where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]"
|
|
(container with index 2 in this pod). This syntax is chosen
|
|
only to have some well-defined way of referencing a part
|
|
of an object. TODO: this design is not final and this field
|
|
is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference
|
|
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name of the policy rule
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this policy rule is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy severity
|
|
enum:
|
|
- high
|
|
- low
|
|
- medium
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: Non-negative fractions of a second at nanosecond
|
|
resolution. Negative second values with fractions must still
|
|
have non-negative nanos values that count forward in time.
|
|
Must be from 0 to 999,999,999 inclusive. This field may be
|
|
limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
scope:
|
|
description: Scope is an optional reference to the report scope (e.g.
|
|
a Deployment, Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead of an entire
|
|
object, this string should contain a valid JSON/Go field access
|
|
statement, such as desiredState.manifest.containers[2]. For example,
|
|
if the object reference is to a container within a pod, this would
|
|
take on a value like: "spec.containers{name}" (where "name" refers
|
|
to the name of the container that triggered the event) or if no
|
|
container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined
|
|
way of referencing a part of an object. TODO: this design is not
|
|
final and this field is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference is
|
|
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
scopeSelector:
|
|
description: ScopeSelector is an optional selector for multiple scopes
|
|
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
should be specified.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains
|
|
values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set
|
|
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator
|
|
is In or NotIn, the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the values array must
|
|
be empty. This array is replaced during a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In", and the values array
|
|
contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not be
|
|
evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not selected
|
|
for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of unscored policies whose requirements
|
|
were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: reportchangerequests.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: ReportChangeRequest
|
|
listKind: ReportChangeRequestList
|
|
plural: reportchangerequests
|
|
shortNames:
|
|
- rcr
|
|
singular: reportchangerequest
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .scope.kind
|
|
name: Kind
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .scope.name
|
|
name: Name
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ReportChangeRequest is the Schema for the ReportChangeRequests
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Message is a short user friendly description of the
|
|
policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for the
|
|
policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: ResourceSelector is an optional selector for policy
|
|
results that apply to multiple resources. For example, a policy
|
|
result may apply to all pods that match a label. Either a Resource
|
|
or a ResourceSelector can be specified. If neither are provided,
|
|
the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that
|
|
contains values, a key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn, Exists
|
|
and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the
|
|
operator is In or NotIn, the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist, the values
|
|
array must be empty. This array is replaced during a
|
|
strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single
|
|
{key,value} in the matchLabels map is equivalent to an element
|
|
of matchExpressions, whose key field is "key", the operator
|
|
is "In", and the values array contains only "value". The requirements
|
|
are ANDed.
|
|
type: object
|
|
type: object
|
|
resources:
|
|
description: Resources is an optional reference to the resource
|
|
checked by the policy and rule
|
|
items:
|
|
description: 'ObjectReference contains enough information to let
|
|
you inspect or modify the referred object. --- New uses of this
|
|
type are discouraged because of difficulty describing its usage
|
|
when embedded in APIs. 1. Ignored fields. It includes many
|
|
fields which are not generally honored. For instance, ResourceVersion
|
|
and FieldPath are both very rarely valid in actual usage. 2.
|
|
Invalid usage help. It is impossible to add specific help for
|
|
individual usage. In most embedded usages, there are particular
|
|
restrictions like, "must refer only to types A and B" or "UID
|
|
not honored" or "name must be restricted". Those cannot be well
|
|
described when embedded. 3. Inconsistent validation. Because
|
|
the usages are different, the validation rules are different
|
|
by usage, which makes it hard for users to predict what will
|
|
happen. 4. The fields are both imprecise and overly precise. Kind
|
|
is not a precise mapping to a URL. This can produce ambiguity
|
|
during interpretation and require a REST mapping. In most cases,
|
|
the dependency is on the group,resource tuple and the version
|
|
of the actual struct is irrelevant. 5. We cannot easily change
|
|
it. Because this type is embedded in many locations, updates
|
|
to this type will affect numerous schemas. Don''t make new
|
|
APIs embed an underspecified API type they do not control. Instead
|
|
of using this type, create a locally provided and used type
|
|
that is well-focused on your reference. For example, ServiceReferences
|
|
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
.'
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead
|
|
of an entire object, this string should contain a valid
|
|
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within
|
|
a pod, this would take on a value like: "spec.containers{name}"
|
|
(where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]"
|
|
(container with index 2 in this pod). This syntax is chosen
|
|
only to have some well-defined way of referencing a part
|
|
of an object. TODO: this design is not final and this field
|
|
is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference
|
|
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name of the policy rule
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this policy rule is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy severity
|
|
enum:
|
|
- high
|
|
- low
|
|
- medium
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: Non-negative fractions of a second at nanosecond
|
|
resolution. Negative second values with fractions must still
|
|
have non-negative nanos values that count forward in time.
|
|
Must be from 0 to 999,999,999 inclusive. This field may be
|
|
limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
scope:
|
|
description: Scope is an optional reference to the report scope (e.g.
|
|
a Deployment, Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead of an entire
|
|
object, this string should contain a valid JSON/Go field access
|
|
statement, such as desiredState.manifest.containers[2]. For example,
|
|
if the object reference is to a container within a pod, this would
|
|
take on a value like: "spec.containers{name}" (where "name" refers
|
|
to the name of the container that triggered the event) or if no
|
|
container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined
|
|
way of referencing a part of an object. TODO: this design is not
|
|
final and this field is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference is
|
|
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
scopeSelector:
|
|
description: ScopeSelector is an optional selector for multiple scopes
|
|
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
should be specified.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains
|
|
values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set
|
|
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator
|
|
is In or NotIn, the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the values array must
|
|
be empty. This array is replaced during a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In", and the values array
|
|
contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not be
|
|
evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not selected
|
|
for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of unscored policies whose requirements
|
|
were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
labels:
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: updaterequests.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: UpdateRequest
|
|
listKind: UpdateRequestList
|
|
plural: updaterequests
|
|
shortNames:
|
|
- ur
|
|
singular: updaterequest
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.policy
|
|
name: Policy
|
|
type: string
|
|
- jsonPath: .spec.requestType
|
|
name: RuleType
|
|
type: string
|
|
- jsonPath: .spec.resource.kind
|
|
name: ResourceKind
|
|
type: string
|
|
- jsonPath: .spec.resource.name
|
|
name: ResourceName
|
|
type: string
|
|
- jsonPath: .spec.resource.namespace
|
|
name: ResourceNamespace
|
|
type: string
|
|
- jsonPath: .status.state
|
|
name: status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: UpdateRequestStatus is a request to process mutate and generate
|
|
rules in background.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec is the information to identify the update request.
|
|
properties:
|
|
context:
|
|
description: Context ...
|
|
properties:
|
|
admissionRequestInfo:
|
|
description: AdmissionRequestInfoObject stores the admission request
|
|
and operation details
|
|
properties:
|
|
admissionRequest:
|
|
description: AdmissionRequest describes the admission.Attributes
|
|
for the admission request.
|
|
properties:
|
|
dryRun:
|
|
description: DryRun indicates that modifications will
|
|
definitely not be persisted for this request. Defaults
|
|
to false.
|
|
type: boolean
|
|
kind:
|
|
description: Kind is the fully-qualified type of object
|
|
being submitted (for example, v1.Pod or autoscaling.v1.Scale)
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- version
|
|
type: object
|
|
name:
|
|
description: Name is the name of the object as presented
|
|
in the request. On a CREATE operation, the client may
|
|
omit name and rely on the server to generate the name. If
|
|
that is the case, this field will contain an empty string.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the namespace associated with
|
|
the request (if any).
|
|
type: string
|
|
object:
|
|
description: Object is the object from the incoming request.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
oldObject:
|
|
description: OldObject is the existing object. Only populated
|
|
for DELETE and UPDATE requests.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operation:
|
|
description: Operation is the operation being performed.
|
|
This may be different than the operation requested.
|
|
e.g. a patch can result in either a CREATE or UPDATE
|
|
Operation.
|
|
type: string
|
|
options:
|
|
description: Options is the operation option structure
|
|
of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
|
|
or `meta.k8s.io/v1.CreateOptions`. This may be different
|
|
than the options the caller provided. e.g. for a patch
|
|
request the performed Operation might be a CREATE, in
|
|
which case the Options will a `meta.k8s.io/v1.CreateOptions`
|
|
even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
requestKind:
|
|
description: "RequestKind is the fully-qualified type
|
|
of the original API request (for example, v1.Pod or
|
|
autoscaling.v1.Scale). If this is specified and differs
|
|
from the value in \"kind\", an equivalent match and
|
|
conversion was performed. \n For example, if deployments
|
|
can be modified via apps/v1 and apps/v1beta1, and a
|
|
webhook registered a rule of `apiGroups:[\"apps\"],
|
|
apiVersions:[\"v1\"], resources: [\"deployments\"]`
|
|
and `matchPolicy: Equivalent`, an API request to apps/v1beta1
|
|
deployments would be converted and sent to the webhook
|
|
with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
|
|
(matching the rule the webhook registered for), and
|
|
`requestKind: {group:\"apps\", version:\"v1beta1\",
|
|
kind:\"Deployment\"}` (indicating the kind of the original
|
|
API request). \n See documentation for the \"matchPolicy\"
|
|
field in the webhook configuration type for more details."
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- version
|
|
type: object
|
|
requestResource:
|
|
description: "RequestResource is the fully-qualified resource
|
|
of the original API request (for example, v1.pods).
|
|
If this is specified and differs from the value in \"resource\",
|
|
an equivalent match and conversion was performed. \n
|
|
For example, if deployments can be modified via apps/v1
|
|
and apps/v1beta1, and a webhook registered a rule of
|
|
`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
|
|
[\"deployments\"]` and `matchPolicy: Equivalent`, an
|
|
API request to apps/v1beta1 deployments would be converted
|
|
and sent to the webhook with `resource: {group:\"apps\",
|
|
version:\"v1\", resource:\"deployments\"}` (matching
|
|
the resource the webhook registered for), and `requestResource:
|
|
{group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
|
|
(indicating the resource of the original API request).
|
|
\n See documentation for the \"matchPolicy\" field in
|
|
the webhook configuration type."
|
|
properties:
|
|
group:
|
|
type: string
|
|
resource:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- resource
|
|
- version
|
|
type: object
|
|
requestSubResource:
|
|
description: RequestSubResource is the name of the subresource
|
|
of the original API request, if any (for example, "status"
|
|
or "scale") If this is specified and differs from the
|
|
value in "subResource", an equivalent match and conversion
|
|
was performed. See documentation for the "matchPolicy"
|
|
field in the webhook configuration type.
|
|
type: string
|
|
resource:
|
|
description: Resource is the fully-qualified resource
|
|
being requested (for example, v1.pods)
|
|
properties:
|
|
group:
|
|
type: string
|
|
resource:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- resource
|
|
- version
|
|
type: object
|
|
subResource:
|
|
description: SubResource is the subresource being requested,
|
|
if any (for example, "status" or "scale")
|
|
type: string
|
|
uid:
|
|
description: UID is an identifier for the individual request/response.
|
|
It allows us to distinguish instances of requests which
|
|
are otherwise identical (parallel requests, requests
|
|
when earlier requests did not modify etc) The UID is
|
|
meant to track the round trip (request/response) between
|
|
the KAS and the WebHook, not the user request. It is
|
|
suitable for correlating log entries between the webhook
|
|
and apiserver, for either auditing or debugging.
|
|
type: string
|
|
userInfo:
|
|
description: UserInfo is information about the requesting
|
|
user
|
|
properties:
|
|
extra:
|
|
additionalProperties:
|
|
description: ExtraValue masks the value so protobuf
|
|
can generate
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Any additional information provided by
|
|
the authenticator.
|
|
type: object
|
|
groups:
|
|
description: The names of groups this user is a part
|
|
of.
|
|
items:
|
|
type: string
|
|
type: array
|
|
uid:
|
|
description: A unique value that identifies this user
|
|
across time. If this user is deleted and another
|
|
user by the same name is added, they will have different
|
|
UIDs.
|
|
type: string
|
|
username:
|
|
description: The name that uniquely identifies this
|
|
user among all active users.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- kind
|
|
- operation
|
|
- resource
|
|
- uid
|
|
- userInfo
|
|
type: object
|
|
operation:
|
|
description: Operation is the type of resource operation being
|
|
checked for admission control
|
|
type: string
|
|
type: object
|
|
userInfo:
|
|
description: RequestInfo contains permission info carried in an
|
|
admission request.
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is a list of possible clusterRoles
|
|
send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is a list of possible role send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
userInfo:
|
|
description: UserInfo is the userInfo carried in the admission
|
|
request.
|
|
properties:
|
|
extra:
|
|
additionalProperties:
|
|
description: ExtraValue masks the value so protobuf
|
|
can generate
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Any additional information provided by the
|
|
authenticator.
|
|
type: object
|
|
groups:
|
|
description: The names of groups this user is a part of.
|
|
items:
|
|
type: string
|
|
type: array
|
|
uid:
|
|
description: A unique value that identifies this user
|
|
across time. If this user is deleted and another user
|
|
by the same name is added, they will have different
|
|
UIDs.
|
|
type: string
|
|
username:
|
|
description: The name that uniquely identifies this user
|
|
among all active users.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
policy:
|
|
description: Specifies the name of the policy.
|
|
type: string
|
|
requestType:
|
|
description: Type represents request type for background processing
|
|
enum:
|
|
- mutate
|
|
- generate
|
|
type: string
|
|
resource:
|
|
description: ResourceSpec is the information to identify the update
|
|
request.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- context
|
|
- policy
|
|
- resource
|
|
type: object
|
|
status:
|
|
description: Status contains statistics related to update request.
|
|
properties:
|
|
generatedResources:
|
|
description: This will track the resources that are updated by the
|
|
generate Policy. Will be used during clean up resources.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
handler:
|
|
description: Handler represents the instance ID that handles the UR
|
|
type: string
|
|
message:
|
|
description: Specifies request status message.
|
|
type: string
|
|
state:
|
|
description: State represents state of the update request.
|
|
type: string
|
|
required:
|
|
- state
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno-service-account
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:leaderelection
|
|
namespace: kyverno
|
|
rules:
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
verbs:
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
aggregationRule:
|
|
clusterRoleSelectors:
|
|
- matchLabels:
|
|
app: kyverno
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno
|
|
rules: []
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
name: kyverno:admin-generaterequest
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- generaterequests
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
name: kyverno:admin-policies
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- policies
|
|
- clusterpolicies
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
name: kyverno:admin-policyreport
|
|
rules:
|
|
- apiGroups:
|
|
- wgpolicyk8s.io
|
|
resources:
|
|
- policyreports
|
|
- clusterpolicyreports
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
name: kyverno:admin-reportchangerequest
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- reportchangerequests
|
|
- clusterreportchangerequests
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:events
|
|
rules:
|
|
- apiGroups:
|
|
- '*'
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:generate
|
|
rules:
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
- ingressclasses
|
|
- networkpolicies
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- namespaces
|
|
- configmaps
|
|
- secrets
|
|
- resourcequotas
|
|
- limitranges
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- rbac.authorization.k8s.io
|
|
resources:
|
|
- rolebindings
|
|
- roles
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:policies
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- policies
|
|
- policies/status
|
|
- clusterpolicies
|
|
- clusterpolicies/status
|
|
- generaterequests
|
|
- generaterequests/status
|
|
- updaterequests
|
|
- updaterequests/status
|
|
- reportchangerequests
|
|
- reportchangerequests/status
|
|
- clusterreportchangerequests
|
|
- clusterreportchangerequests/status
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- wgpolicyk8s.io
|
|
resources:
|
|
- policyreports
|
|
- policyreports/status
|
|
- clusterpolicyreports
|
|
- clusterpolicyreports/status
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:userinfo
|
|
rules:
|
|
- apiGroups:
|
|
- rbac.authorization.k8s.io
|
|
resources:
|
|
- roles
|
|
- clusterroles
|
|
- rolebindings
|
|
- clusterrolebindings
|
|
verbs:
|
|
- watch
|
|
- list
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:view
|
|
rules:
|
|
- apiGroups:
|
|
- '*'
|
|
resources:
|
|
- '*'
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:webhook
|
|
rules:
|
|
- apiGroups:
|
|
- admissionregistration.k8s.io
|
|
resources:
|
|
- mutatingwebhookconfigurations
|
|
- validatingwebhookconfigurations
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno:leaderelection
|
|
namespace: kyverno
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: kyverno:leaderelection
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-service-account
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kyverno
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-service-account
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
|
|
generateSuccessEvents: "false"
|
|
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: v1
|
|
data:
|
|
metricsRefreshInterval: 24h
|
|
namespaces: '{"exclude":[],"include":[]}'
|
|
kind: ConfigMap
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno-metrics
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno-svc
|
|
namespace: kyverno
|
|
spec:
|
|
ports:
|
|
- name: https
|
|
port: 443
|
|
targetPort: https
|
|
selector:
|
|
app: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno-svc-metrics
|
|
namespace: kyverno
|
|
spec:
|
|
ports:
|
|
- name: metrics-port
|
|
port: 8000
|
|
targetPort: metrics-port
|
|
selector:
|
|
app: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
name: kyverno
|
|
namespace: kyverno
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 40%
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: kyverno
|
|
app.kubernetes.io/component: kyverno
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/name: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/name
|
|
operator: In
|
|
values:
|
|
- kyverno
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 1
|
|
containers:
|
|
- args:
|
|
- -v=2
|
|
- --autogenInternals=false
|
|
env:
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_SVC
|
|
value: kyverno-svc
|
|
- name: TUF_ROOT
|
|
value: /.sigstore
|
|
image: ghcr.io/kyverno/kyverno:latest
|
|
imagePullPolicy: Always
|
|
livenessProbe:
|
|
failureThreshold: 2
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
name: kyverno
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics-port
|
|
protocol: TCP
|
|
readinessProbe:
|
|
failureThreshold: 4
|
|
httpGet:
|
|
path: /health/readiness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
resources:
|
|
limits:
|
|
memory: 384Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
volumeMounts:
|
|
- mountPath: /.sigstore
|
|
name: sigstore
|
|
initContainers:
|
|
- env:
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
image: ghcr.io/kyverno/kyvernopre:latest
|
|
imagePullPolicy: Always
|
|
name: kyverno-pre
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
serviceAccountName: kyverno-service-account
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: sigstore
|