mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
478d324007
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
17483 lines
1.1 MiB
17483 lines
1.1 MiB
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.12.0
|
|
name: policies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: Policy
|
|
listKind: PolicyList
|
|
plural: policies
|
|
shortNames:
|
|
- pol
|
|
singular: policy
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.admission
|
|
name: ADMISSION
|
|
type: boolean
|
|
- jsonPath: .spec.background
|
|
name: BACKGROUND
|
|
type: boolean
|
|
- jsonPath: .spec.validationFailureAction
|
|
name: VALIDATE ACTION
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].status
|
|
name: READY
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .spec.failurePolicy
|
|
name: FAILURE POLICY
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.rulecount.validate
|
|
name: VALIDATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.mutate
|
|
name: MUTATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.generate
|
|
name: GENERATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.verifyimages
|
|
name: VERIFY IMAGES
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].message
|
|
name: MESSAGE
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: 'Policy declares validation, mutation, and generation behaviors
|
|
for matching resources. See: https://kyverno.io/docs/writing-policies/ for
|
|
more information.'
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec defines policy behaviors and contains one or more rules.
|
|
properties:
|
|
admission:
|
|
default: true
|
|
description: Admission controls if rules are applied during admission.
|
|
Optional. Default value is "true".
|
|
type: boolean
|
|
applyRules:
|
|
description: ApplyRules controls how rules in a policy are applied.
|
|
Rule are processed in the order of declaration. When set to `One`
|
|
processing stops after a rule has been applied i.e. the rule matches
|
|
and results in a pass, fail, or error. When set to `All` all rules
|
|
in the policy are processed. The default is `All`.
|
|
enum:
|
|
- All
|
|
- One
|
|
type: string
|
|
background:
|
|
default: true
|
|
description: Background controls if rules are applied to existing
|
|
resources during a background scan. Optional. Default value is "true".
|
|
The value must be set to "false" if the policy rule uses variables
|
|
that are only available in the admission review request (e.g. user
|
|
name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: FailurePolicy defines how unexpected policy errors and
|
|
webhook response timeout errors are handled. Rules within the same
|
|
policy share the same failure behavior. This field should not be
|
|
accessed directly, instead `GetFailurePolicy()` should be used.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExisting:
|
|
description: GenerateExisting controls whether to trigger generate
|
|
rule in existing resources If is set to "true" generate rule will
|
|
be triggered and applied to existing matched resources. Defaults
|
|
to "false" if not specified.
|
|
type: boolean
|
|
generateExistingOnPolicyUpdate:
|
|
description: Deprecated, use generateExisting instead
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
|
policy is applied on policy events. Default value is "false".
|
|
type: boolean
|
|
rules:
|
|
description: Rules is a list of Rule instances. A Policy contains
|
|
multiple rules and each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: Rule defines a validation, mutation, or generation
|
|
control for matching resources. Each rules contains a match declaration
|
|
to select resources, and an optional exclude declaration to specify
|
|
which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: CELPreconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of CEL conditions.
|
|
It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression which
|
|
will be evaluated by CEL. Must evaluate to bool. CEL
|
|
expressions have access to the contents of the AdmissionRequest
|
|
and Authorizer, organized into CEL variables: \n 'object'
|
|
- The object from the incoming request. The value is
|
|
null for DELETE requests. 'oldObject' - The existing
|
|
object. The value is null for CREATE requests. 'request'
|
|
- Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user or service
|
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
|
from the 'authorizer' and configured with the request
|
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
\n Required."
|
|
type: string
|
|
name:
|
|
description: "Name is an identifier for this match condition,
|
|
used for strategic merging of MatchConditions, as well
|
|
as providing an identifier for logging purposes. A good
|
|
name should be descriptive of the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric
|
|
characters, '-', '_' or '.', and must start and end
|
|
with an alphanumeric character (e.g. 'MyName', or 'my.name',
|
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
|
with an optional DNS subdomain prefix and '/' (e.g.
|
|
'example.com/MyName') \n Required."
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data sources
|
|
to a rule Context. Either a ConfigMap reference or a APILookup
|
|
must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the Kubernetes
|
|
API server, or other JSON web service. The data returned
|
|
is stored in the context with the name for the context
|
|
entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data sent to
|
|
the server.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for
|
|
the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the JSON response
|
|
returned from the server. For example a JMESPath
|
|
of "items | length(@)" applied to the API server
|
|
response for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments across
|
|
all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a JSON web
|
|
service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded CA bundle
|
|
which will be used to validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service URL.
|
|
A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to be used in
|
|
the HTTP GET or POST request to the Kubernetes API
|
|
server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the
|
|
`kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests to an OCI/Docker
|
|
V2 registry to fetch image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of OCI
|
|
Registry names, whose authentication providers
|
|
are provided It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets
|
|
that are provided for credentials Secrets must
|
|
live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the ImageData struct
|
|
returned as a result of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference to a container
|
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary JSON
|
|
object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath Expression
|
|
that can be used to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: ExcludeResources defines when this policy rule
|
|
should not be applied. The exclude criteria can include resource
|
|
information (e.g. kind, name, namespace, labels) and admission
|
|
review request information like the name or role.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified. Requires at least
|
|
one tag to be specified when under MatchResources. Specifying
|
|
ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (key-value
|
|
pairs of type string). Annotation keys and values
|
|
support the wildcard characters "*" (matches zero
|
|
or many characters) and "?" (matches at least one
|
|
character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource. The
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources. Each
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*`
|
|
(matches zero or many characters) and `?` (matches
|
|
one character).Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label keys
|
|
and values in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?` (matches
|
|
one character). Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: Clone specifies the source resource used to
|
|
populate each generated resource. At most one of Data
|
|
or Clone can be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source resource
|
|
used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
selector:
|
|
description: Selector is a label selector. Label keys
|
|
and values in `matchLabels`. wildcard characters are
|
|
not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: Data provides the resource declaration used
|
|
to populate each generated resource. At most one of Data
|
|
or Clone must be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
synchronize:
|
|
description: Synchronize controls if generated resources
|
|
should be kept in-sync with their source resource. If
|
|
Synchronize is set to "true" changes to generated resources
|
|
will be overwritten with resource data from Data or the
|
|
resource specified in the Clone declaration. Optional.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: 'JMESPath is an optional JMESPath expression
|
|
to apply to the image value. This is useful when the
|
|
extracted image begins with a prefix like ''docker://''.
|
|
The ''trim_prefix'' function may be used to trim the
|
|
prefix: trim_prefix(@, ''docker://''). Note - Image
|
|
digest mutation may not be used when applying a JMESPAth
|
|
to an image.'
|
|
type: string
|
|
key:
|
|
description: Key is an optional name of the field within
|
|
'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: Name is the entry the image will be available
|
|
under 'images.<name>' in the context. If this field
|
|
is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: Path is the path to the object containing
|
|
the image field in a custom resource. It should be
|
|
slash-separated. Each slash-separated key must be
|
|
a valid YAML key or a wildcard '*'. Wildcard keys
|
|
are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: Value is an optional name of the field
|
|
within 'path' that points to the image URI. This is
|
|
useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: ImageExtractors defines a mapping from kinds to
|
|
ImageExtractorConfigs. This config is only valid for verifyImages
|
|
rules.
|
|
type: object
|
|
match:
|
|
description: MatchResources defines when this policy rule should
|
|
be applied. The match criteria can include resource information
|
|
(e.g. kind, name, namespace, labels) and admission review
|
|
request information like the user name or role. At least one
|
|
kind is required.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified. Requires at least
|
|
one tag to be specified when under MatchResources. Specifying
|
|
ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations (key-value
|
|
pairs of type string). Annotation keys and values
|
|
support the wildcard characters "*" (matches zero
|
|
or many characters) and "?" (matches at least one
|
|
character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource. The
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources. Each
|
|
name supports wildcard characters "*" (matches zero
|
|
or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*`
|
|
(matches zero or many characters) and `?` (matches
|
|
one character).Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces names.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label keys
|
|
and values in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?` (matches
|
|
one character). Wildcards allows writing label selectors
|
|
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not match
|
|
an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or a
|
|
value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the referenced
|
|
subject. Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced. Values
|
|
defined by this API group are "User", "Group", and
|
|
"ServiceAccount". If the Authorizer does not recognized
|
|
the kind value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the Authorizer
|
|
should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules to
|
|
a list of sub-elements by creating a context for each
|
|
entry in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the
|
|
Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context
|
|
with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data
|
|
sent to the server.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the server.
|
|
For example a JMESPath of "items | length(@)"
|
|
applied to the API server response for
|
|
the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a
|
|
JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service
|
|
URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET or POST request
|
|
to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command. See
|
|
https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a
|
|
list of OCI Registry names, whose
|
|
authentication providers are provided
|
|
It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list
|
|
of secrets that are provided for credentials
|
|
Secrets must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: Order defines the iteration order on
|
|
the list. Can be Ascending to iterate from first
|
|
to last element or Descending to iterate in from
|
|
last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge
|
|
patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902
|
|
JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge patch
|
|
used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
|
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for mutating
|
|
existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the
|
|
Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context
|
|
with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data
|
|
sent to the server.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the server.
|
|
For example a JMESPath of "items | length(@)"
|
|
applied to the API server response for
|
|
the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a
|
|
JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service
|
|
URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET or POST request
|
|
to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command. See
|
|
https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a
|
|
list of OCI Registry names, whose
|
|
authentication providers are provided
|
|
It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list
|
|
of secrets that are provided for credentials
|
|
Secrets must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but will
|
|
be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of conditions.
|
|
The declaration can contain nested `any` or `all` statements.
|
|
A direct list of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation patterns.
|
|
At least one of the patterns must be satisfied for the
|
|
validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the Common
|
|
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for the
|
|
audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to produce
|
|
an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: "key specifies the audit annotation
|
|
key. The audit annotation keys of a ValidatingAdmissionPolicy
|
|
must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
|
|
63 bytes in length. \n The key is combined with
|
|
the resource name of the ValidatingAdmissionPolicy
|
|
to construct an audit annotation key: \"{ValidatingAdmissionPolicy
|
|
name}/{key}\". \n If an admission webhook uses
|
|
the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation
|
|
key will be identical. In this case, the first
|
|
annotation written with the key will be included
|
|
in the audit event and all subsequent annotations
|
|
with the same key will be discarded. \n Required."
|
|
type: string
|
|
valueExpression:
|
|
description: "valueExpression represents the expression
|
|
which is evaluated by CEL to produce an audit
|
|
annotation value. The expression must evaluate
|
|
to either a string or null value. If the expression
|
|
evaluates to a string, the audit annotation
|
|
is included with the string value. If the expression
|
|
evaluates to null or empty string the audit
|
|
annotation will be omitted. The valueExpression
|
|
may be no longer than 5kb in length. If the
|
|
result of the valueExpression is more than 10kb
|
|
in length, it will be truncated to 10kb. \n
|
|
If multiple ValidatingAdmissionPolicyBinding
|
|
resources match an API request, then the valueExpression
|
|
will be evaluated for each binding. All unique
|
|
values produced by the valueExpressions will
|
|
be joined together in a comma-separated list.
|
|
\n Required."
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL. ref: https://github.com/google/cel-spec
|
|
CEL expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful variables:
|
|
\n - 'object' - The object from the incoming
|
|
request. The value is null for DELETE requests.
|
|
- 'oldObject' - The existing object. The value
|
|
is null for CREATE requests. - 'request' - Attributes
|
|
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
|
- 'params' - Parameter resource referred to
|
|
by the policy binding being evaluated. Only
|
|
populated if the policy has a ParamKind. - 'namespaceObject'
|
|
- The namespace object that the incoming object
|
|
belongs to. The value is null for cluster-scoped
|
|
resources. - 'variables' - Map of composited
|
|
variables, from its name to its lazily evaluated
|
|
value. For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'. - 'authorizer'
|
|
- A CEL Authorizer. May be used to perform authorization
|
|
checks for the principal (user or service account)
|
|
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
- 'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the request resource. \n The `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the object.
|
|
No other metadata properties are accessible.
|
|
\n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible. Accessible property names are
|
|
escaped according to the following rules when
|
|
accessed in the expression: - '__' escapes to
|
|
'__underscores__' - '.' escapes to '__dot__'
|
|
- '-' escapes to '__dash__' - '/' escapes to
|
|
'__slash__' - Property names that exactly match
|
|
a CEL RESERVED keyword escape to '__{keyword}__'.
|
|
The keywords are: \"true\", \"false\", \"null\",
|
|
\"in\", \"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\", \"import\",
|
|
\"let\", \"loop\", \"package\", \"namespace\",
|
|
\"return\". Examples: - Expression accessing
|
|
a property named \"namespace\": {\"Expression\":
|
|
\"object.__namespace__ > 0\"} - Expression accessing
|
|
a property named \"x-prop\": {\"Expression\":
|
|
\"object.x__dash__prop > 0\"} - Expression accessing
|
|
a property named \"redact__d\": {\"Expression\":
|
|
\"object.redact__underscores__d > 0\"} \n Equality
|
|
on arrays with list type of 'set' or 'map' ignores
|
|
element order, i.e. [1, 2] == [2, 1]. Concatenation
|
|
on arrays with x-kubernetes-list-type use the
|
|
semantics of the list type: - 'set': `X + Y`
|
|
performs a union where the array positions of
|
|
all elements in `X` are preserved and non-intersecting
|
|
elements in `Y` are appended, retaining their
|
|
partial order. - 'map': `X + Y` performs a merge
|
|
where the array positions of all keys in `X`
|
|
are preserved but the values are overwritten
|
|
by values in `Y` when the key sets of `X` and
|
|
`Y` intersect. Elements in `Y` with non-intersecting
|
|
keys are appended, retaining their partial order.
|
|
Required."
|
|
type: string
|
|
message:
|
|
description: 'Message represents the message displayed
|
|
when validation fails. The message is required
|
|
if the Expression contains line breaks. The
|
|
message must not contain line breaks. If unset,
|
|
the message is "failed rule: {Rule}". e.g. "must
|
|
be a URL with the host matching spec.host" If
|
|
the Expression contains line breaks. Message
|
|
is required. The message must not contain line
|
|
breaks. If unset, the message is "failed Expression:
|
|
{Expression}".'
|
|
type: string
|
|
messageExpression:
|
|
description: 'messageExpression declares a CEL
|
|
expression that evaluates to the validation
|
|
failure message that is returned when this rule
|
|
fails. Since messageExpression is used as a
|
|
failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present
|
|
on a validation, then messageExpression will
|
|
be used if validation fails. If messageExpression
|
|
results in a runtime error, the runtime error
|
|
is logged, and the validation failure message
|
|
is produced as if the messageExpression field
|
|
were unset. If messageExpression evaluates to
|
|
an empty string, a string with only spaces,
|
|
or a string that contains line breaks, then
|
|
the validation failure message will also be
|
|
produced as if the messageExpression field were
|
|
unset, and the fact that messageExpression produced
|
|
an empty string/string with only spaces/string
|
|
with line breaks will be logged. messageExpression
|
|
has access to all the same variables as the
|
|
`expression` except for ''authorizer'' and ''authorizer.requestResource''.
|
|
Example: "object.x must be less than max ("+string(params.max)+")"'
|
|
type: string
|
|
reason:
|
|
description: 'Reason represents a machine-readable
|
|
description of why this validation failed. If
|
|
this is the first validation in the list to
|
|
fail, this reason, as well as the corresponding
|
|
HTTP response code, are used in the HTTP response
|
|
to the client. The currently supported reasons
|
|
are: "Unauthorized", "Forbidden", "Invalid",
|
|
"RequestEntityTooLarge". If not set, StatusReasonInvalid
|
|
is used in the response to the client.'
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind and
|
|
Version.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion is the API group version
|
|
the resources belong to. In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: Kind is the API kind the resources
|
|
belong to. Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: "`name` is the name of the resource
|
|
being referenced. \n `name` and `selector` are
|
|
mutually exclusive properties. If one is set,
|
|
the other must be unset."
|
|
type: string
|
|
namespace:
|
|
description: "namespace is the namespace of the
|
|
referenced resource. Allows limiting the search
|
|
for params to a specific namespace. Applies to
|
|
both `name` and `selector` fields. \n A per-namespace
|
|
parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field
|
|
empty. \n - If `paramKind` is cluster-scoped,
|
|
this field MUST be unset. Setting this field results
|
|
in a configuration error. \n - If `paramKind`
|
|
is namespace-scoped, the namespace of the object
|
|
being evaluated for admission will be used when
|
|
this field is left unset. Take care that if this
|
|
is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error."
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: "`parameterNotFoundAction` controls
|
|
the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there
|
|
are no parameters matched by the binding. If the
|
|
value is set to `Allow`, then no matched parameters
|
|
will be treated as successful validation by the
|
|
binding. If set to `Deny`, then no matched parameters
|
|
will be subject to the `failurePolicy` of the
|
|
policy. \n Allowed values are `Allow` or `Deny`
|
|
Default to `Deny`"
|
|
type: string
|
|
selector:
|
|
description: "selector can be used to match multiple
|
|
param objects based on their labels. Supply selector:
|
|
{} to match all resources of the ParamKind. \n
|
|
If multiple params are found, they are all evaluated
|
|
with the policy expressions and the results are
|
|
ANDed together. \n One of `name` or `selector`
|
|
must be set, but `name` and `selector` are mutually
|
|
exclusive properties. If one is set, the other
|
|
must be unset."
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: Variables contain definitions of variables
|
|
that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under
|
|
`variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition.
|
|
properties:
|
|
expression:
|
|
description: Expression is the expression that
|
|
will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers
|
|
as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: Name is the name of the variable.
|
|
The name must be a valid CEL identifier and
|
|
unique among all variables. The variable can
|
|
be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable
|
|
will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared under
|
|
an `any` or `all` statement. A direct list of conditions
|
|
(without `any` or `all` statements) is also supported
|
|
for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context for
|
|
each entry in the list and looping over it to apply
|
|
the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must be satisfied
|
|
for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the
|
|
Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context
|
|
with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data
|
|
sent to the server.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the server.
|
|
For example a JMESPath of "items | length(@)"
|
|
applied to the API server response for
|
|
the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a
|
|
JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service
|
|
URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET or POST request
|
|
to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command. See
|
|
https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a
|
|
list of OCI Registry names, whose
|
|
authentication providers are provided
|
|
It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list
|
|
of secrets that are provided for credentials
|
|
Secrets must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct
|
|
list of conditions (without `any` or `all` statements)
|
|
is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: ElementScope specifies whether to use
|
|
the current list element as the scope for validation.
|
|
Defaults to "true" if not specified. When set to
|
|
"false", "request.object" is used as the validation
|
|
scope within the foreach block to allow referencing
|
|
other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of annotation
|
|
for message and signature. Default is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is
|
|
null, all entries must match (a logical AND).
|
|
If the count is 1, at least one entry must match
|
|
(a logical OR). If the count contains a value
|
|
N, then N must be less than or equal to the
|
|
size of entries, and at least N entries must
|
|
match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available attestors.
|
|
An attestor can be a static key, attributes
|
|
for keyless verification, or a nested attestor
|
|
declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image
|
|
verification. Every specified key-value
|
|
pair must exist and match in the verified
|
|
payload. The payload may contain other
|
|
key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of
|
|
match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an
|
|
optional PEM encoded set of certificates
|
|
used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use
|
|
for a custom Rekor. If set, is
|
|
used to validate signatures on
|
|
log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use
|
|
for a custom Rekor. If set, is
|
|
used to validate signatures on
|
|
log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional set
|
|
of PEM encoded trusted root certificates.
|
|
If not provided, the system roots
|
|
are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI to
|
|
the public key stored in a Key Management
|
|
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image signatures.
|
|
The keys can be directly specified
|
|
or can be a variable reference to
|
|
a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster by
|
|
specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key
|
|
`cosign.pub` containing the public
|
|
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each
|
|
key is processed as a separate staticKey
|
|
entry (.attestors[*].entries.keys)
|
|
within the set of attestors and the
|
|
count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use
|
|
for a custom Rekor. If set, is
|
|
used to validate signatures on
|
|
log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for signatures and
|
|
attestations that match this rule. If
|
|
specified Repository will override other
|
|
OCI image repository locations for this
|
|
Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while comparing
|
|
manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: Repository is an optional alternate OCI
|
|
repository to use for resource bundle reference. The
|
|
repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: PodSecurity applies exemptions for Kubernetes
|
|
Pod Security admission by specifying exclusions for Pod
|
|
Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod
|
|
Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: 'ControlName specifies the name of
|
|
the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: 'Images selects matching containers
|
|
and applies the container level PSS. Each image
|
|
is the image name consisting of the registry
|
|
address, repository, image, and tag. Empty list
|
|
matches no containers, PSS checks are applied
|
|
at the pod level only. Wildcards (''*'' and
|
|
''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: Level defines the Pod Security Standard
|
|
level to be applied to workloads. Allowed values are
|
|
privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: Version defines the Pod Security Standard
|
|
versions that Kubernetes supports. Allowed values
|
|
are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
|
|
v1.26, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: ImageVerification validates that images that
|
|
match the specified pattern are signed with the supplied
|
|
public key. Once the image is verified it is mutated to
|
|
include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: Attestations are optional checks for signed
|
|
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
|
|
Kyverno fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: Attestation are checks for signed in-toto
|
|
Statements that are used to verify the image. See
|
|
https://github.com/in-toto/attestation. Kyverno fetches
|
|
signed attestations from the OCI registry and decodes
|
|
them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required
|
|
number of entries that must match. If the
|
|
count is null, all entries must match (a
|
|
logical AND). If the count is 1, at least
|
|
one entry must match (a logical OR). If
|
|
the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or
|
|
a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for
|
|
image verification. Every specified
|
|
key-value pair must exist and match
|
|
in the verified payload. The payload
|
|
may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set
|
|
of match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is
|
|
an optional PEM encoded set of
|
|
certificates used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless
|
|
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted root
|
|
certificates. If not provided,
|
|
the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI
|
|
to the public key stored in a
|
|
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image
|
|
signatures. The keys can be directly
|
|
specified or can be a variable
|
|
reference to a key specified in
|
|
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format
|
|
"k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify
|
|
a key `cosign.pub` containing
|
|
the public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a separate
|
|
staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors and
|
|
the count is applied across the
|
|
keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use for
|
|
signatures and attestations that match
|
|
this rule. If specified Repository
|
|
will override other OCI image repository
|
|
locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: Conditions are used to verify attributes
|
|
within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there
|
|
are predicates that match the predicate type.
|
|
items:
|
|
description: AnyAllConditions consists of conditions
|
|
wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one
|
|
of its sub-conditions passes. AllConditions
|
|
get fulfilled only when all of its sub-conditions
|
|
pass.
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type', to
|
|
be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is null,
|
|
all entries must match (a logical AND). If the
|
|
count is 1, at least one entry must match (a logical
|
|
OR). If the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available attestors.
|
|
An attestor can be a static key, attributes for
|
|
keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image
|
|
verification. Every specified key-value
|
|
pair must exist and match in the verified
|
|
payload. The payload may contain other key-value
|
|
pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of match
|
|
authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires that
|
|
a certificate contain an embedded
|
|
SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use for
|
|
a custom Rekor. If set, is used
|
|
to validate signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires that
|
|
a certificate contain an embedded
|
|
SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use for
|
|
a custom Rekor. If set, is used
|
|
to validate signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional set
|
|
of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are
|
|
used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires that
|
|
a certificate contain an embedded
|
|
SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI to
|
|
the public key stored in a Key Management
|
|
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509 public
|
|
keys used to verify image signatures.
|
|
The keys can be directly specified or
|
|
can be a variable reference to a key
|
|
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying
|
|
it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key
|
|
`cosign.pub` containing the public key
|
|
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each
|
|
key is processed as a separate staticKey
|
|
entry (.attestors[*].entries.keys) within
|
|
the set of attestors and the count is
|
|
applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use for
|
|
a custom Rekor. If set, is used
|
|
to validate signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret. The
|
|
provided secret must contain a key
|
|
named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for signatures and
|
|
attestations that match this rule. If specified
|
|
Repository will override other OCI image
|
|
repository locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: 'ImageReferences is a list of matching image
|
|
reference patterns. At least one pattern in the list
|
|
must match the image for the rule to apply. Each image
|
|
reference consists of a registry address (defaults to
|
|
docker.io), repository, image, and tag (defaults to
|
|
latest). Wildcards (''*'' and ''?'') are allowed. See:
|
|
https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of OCI Registry
|
|
names, whose authentication providers are provided
|
|
It can be of one of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets that
|
|
are provided for credentials Secrets must live in
|
|
the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: MutateDigest enables replacement of image
|
|
tags with digests. Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: Repository is an optional alternate OCI repository
|
|
to use for image signatures and attestations that match
|
|
this rule. If specified Repository will override the
|
|
default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or
|
|
Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: Type specifies the method of signature validation.
|
|
The allowed options are Cosign and Notary. By default
|
|
Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: SchemaValidation skips validation checks for policies
|
|
as well as patched resources. Optional. The default value is set
|
|
to "true", it must be set to "false" to disable the validation checks.
|
|
type: boolean
|
|
useServerSideApply:
|
|
description: UseServerSideApply controls whether to use server-side
|
|
apply for generate rules If is set to "true" create & update for
|
|
generate rules will use apply instead of create/update. Defaults
|
|
to "false" if not specified.
|
|
type: boolean
|
|
validationFailureAction:
|
|
default: Audit
|
|
description: ValidationFailureAction defines if a validation policy
|
|
rule violation should block the admission review request (enforce),
|
|
or allow (audit) the admission review request and report an error
|
|
in a policy report. Optional. Allowed values are audit or enforce.
|
|
The default value is "Audit".
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: ValidationFailureActionOverrides is a Cluster Policy
|
|
attribute that specifies ValidationFailureAction namespace-wise.
|
|
It overrides ValidationFailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: A label selector is a label query over a set of
|
|
resources. The result of matchLabels and matchExpressions
|
|
are ANDed. An empty label selector matches all objects. A
|
|
null label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector
|
|
that contains values, a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values.
|
|
If the operator is In or NotIn, the values array
|
|
must be non-empty. If the operator is Exists or
|
|
DoesNotExist, the values array must be empty. This
|
|
array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs.
|
|
A single {key,value} in the matchLabels map is equivalent
|
|
to an element of matchExpressions, whose key field is
|
|
"key", the operator is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookTimeoutSeconds:
|
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
|
allowed to apply this policy. After the configured time expires,
|
|
the admission request may fail, or may simply ignore the policy
|
|
results, based on the failure policy. The default timeout is 10s,
|
|
the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Deprecated. Policy metrics are available via the metrics
|
|
endpoint
|
|
properties:
|
|
autogen:
|
|
description: AutogenStatus contains autogen status information.
|
|
properties:
|
|
rules:
|
|
description: Rules is a list of Rule instances. It contains auto
|
|
generated rules added for pod controllers
|
|
items:
|
|
description: Rule defines a validation, mutation, or generation
|
|
control for matching resources. Each rules contains a match
|
|
declaration to select resources, and an optional exclude declaration
|
|
to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: CELPreconditions are used to determine if a
|
|
policy rule should be applied by evaluating a set of CEL
|
|
conditions. It can only be used with the validate.cel
|
|
subrule
|
|
items:
|
|
description: MatchCondition represents a condition which
|
|
must by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL. Must evaluate to
|
|
bool. CEL expressions have access to the contents
|
|
of the AdmissionRequest and Authorizer, organized
|
|
into CEL variables: \n 'object' - The object from
|
|
the incoming request. The value is null for DELETE
|
|
requests. 'oldObject' - The existing object. The
|
|
value is null for CREATE requests. 'request' - Attributes
|
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to
|
|
perform authorization checks for the principal (user
|
|
or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the request resource. Documentation on CEL:
|
|
https://kubernetes.io/docs/reference/using-api/cel/
|
|
\n Required."
|
|
type: string
|
|
name:
|
|
description: "Name is an identifier for this match
|
|
condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes.
|
|
A good name should be descriptive of the associated
|
|
expression. Name must be a qualified name consisting
|
|
of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character
|
|
(e.g. 'MyName', or 'my.name', or '123-abc', regex
|
|
used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
|
with an optional DNS subdomain prefix and '/' (e.g.
|
|
'example.com/MyName') \n Required."
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data sources
|
|
to a rule Context. Either a ConfigMap reference or a
|
|
APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the Kubernetes
|
|
API server, or other JSON web service. The data
|
|
returned is stored in the context with the name
|
|
for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data sent
|
|
to the server.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match
|
|
Expression that can be used to transform the
|
|
JSON response returned from the server. For
|
|
example a JMESPath of "items | length(@)" applied
|
|
to the API server response for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments across
|
|
all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a JSON
|
|
web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded CA
|
|
bundle which will be used to validate the
|
|
server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service URL.
|
|
A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to be used
|
|
in the HTTP GET or POST request to the Kubernetes
|
|
API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used
|
|
by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests to an
|
|
OCI/Docker V2 registry to fetch image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of
|
|
OCI Registry names, whose authentication
|
|
providers are provided It can be of one
|
|
of these values: AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets
|
|
that are provided for credentials Secrets
|
|
must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match
|
|
Expression that can be used to transform the
|
|
ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference to
|
|
a container image in the registry. Example:
|
|
ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take if the
|
|
JMESPath expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform the
|
|
variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object
|
|
representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: ExcludeResources defines when this policy rule
|
|
should not be applied. The exclude criteria can include
|
|
resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name
|
|
or role.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified. Requires
|
|
at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match
|
|
is being deprecated. Please specify under "any" or
|
|
"all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*"
|
|
(matches zero or many characters) and "?" (matches
|
|
at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated in
|
|
favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key and
|
|
value but does not match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters)
|
|
and `?` (matches one character). Wildcards allows
|
|
writing label selectors like ["storage.k8s.io/*":
|
|
"*"]. Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or
|
|
a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the
|
|
referenced subject. Defaults to "" for ServiceAccount
|
|
subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the
|
|
Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: Clone specifies the source resource used
|
|
to populate each generated resource. At most one of
|
|
Data or Clone can be specified. If neither are provided,
|
|
the generated resource will be created with default
|
|
data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: Selector is a label selector. Label
|
|
keys and values in `matchLabels`. wildcard characters
|
|
are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: Data provides the resource declaration
|
|
used to populate each generated resource. At most
|
|
one of Data or Clone must be specified. If neither
|
|
are provided, the generated resource will be created
|
|
with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
synchronize:
|
|
description: Synchronize controls if generated resources
|
|
should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated
|
|
resources will be overwritten with resource data from
|
|
Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: 'JMESPath is an optional JMESPath expression
|
|
to apply to the image value. This is useful when
|
|
the extracted image begins with a prefix like
|
|
''docker://''. The ''trim_prefix'' function may
|
|
be used to trim the prefix: trim_prefix(@, ''docker://'').
|
|
Note - Image digest mutation may not be used when
|
|
applying a JMESPAth to an image.'
|
|
type: string
|
|
key:
|
|
description: Key is an optional name of the field
|
|
within 'path' that will be used to uniquely identify
|
|
an image. Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: Name is the entry the image will be
|
|
available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will
|
|
appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: Path is the path to the object containing
|
|
the image field in a custom resource. It should
|
|
be slash-separated. Each slash-separated key must
|
|
be a valid YAML key or a wildcard '*'. Wildcard
|
|
keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: Value is an optional name of the field
|
|
within 'path' that points to the image URI. This
|
|
is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: ImageExtractors defines a mapping from kinds
|
|
to ImageExtractorConfigs. This config is only valid for
|
|
verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: MatchResources defines when this policy rule
|
|
should be applied. The match criteria can include resource
|
|
information (e.g. kind, name, namespace, labels) and admission
|
|
review request information like the user name or role.
|
|
At least one kind is required.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified. Requires
|
|
at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match
|
|
is being deprecated. Please specify under "any" or
|
|
"all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*"
|
|
(matches zero or many characters) and "?" (matches
|
|
at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated in
|
|
favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key and
|
|
value but does not match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters)
|
|
and `?` (matches one character). Wildcards allows
|
|
writing label selectors like ["storage.k8s.io/*":
|
|
"*"]. Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or
|
|
a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the
|
|
referenced subject. Defaults to "" for ServiceAccount
|
|
subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the
|
|
Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and
|
|
data sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request
|
|
to the Kubernetes API server, or other
|
|
JSON web service. The data returned is
|
|
stored in the context with the name for
|
|
the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST
|
|
data sent to the server.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the JSON response
|
|
returned from the server. For example
|
|
a JMESPath of "items | length(@)"
|
|
applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call
|
|
to a JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to
|
|
validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web
|
|
service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path
|
|
to be used in the HTTP GET or POST
|
|
request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format
|
|
used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch
|
|
image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies
|
|
a list of OCI Registry names,
|
|
whose authentication providers
|
|
are provided It can be of one
|
|
of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a
|
|
list of secrets that are provided
|
|
for credentials Secrets must live
|
|
in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the ImageData struct
|
|
returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional
|
|
arbitrary JSON object that the variable
|
|
may take if the JMESPath expression
|
|
evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JMESPath Expression that can be used
|
|
to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which
|
|
the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: Order defines the iteration order
|
|
on the list. Can be Ascending to iterate from
|
|
first to last element or Descending to iterate
|
|
in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic
|
|
merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC
|
|
6902 JSON Patch declarations used to modify
|
|
resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge
|
|
patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
|
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to
|
|
be mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for
|
|
mutating existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and
|
|
data sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request
|
|
to the Kubernetes API server, or other
|
|
JSON web service. The data returned is
|
|
stored in the context with the name for
|
|
the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST
|
|
data sent to the server.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the JSON response
|
|
returned from the server. For example
|
|
a JMESPath of "items | length(@)"
|
|
applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call
|
|
to a JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to
|
|
validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web
|
|
service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path
|
|
to be used in the HTTP GET or POST
|
|
request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format
|
|
used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch
|
|
image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies
|
|
a list of OCI Registry names,
|
|
whose authentication providers
|
|
are provided It can be of one
|
|
of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a
|
|
list of secrets that are provided
|
|
for credentials Secrets must live
|
|
in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the ImageData struct
|
|
returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional
|
|
arbitrary JSON object that the variable
|
|
may take if the JMESPath expression
|
|
evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JMESPath Expression that can be used
|
|
to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must
|
|
be unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of conditions.
|
|
The declaration can contain nested `any` or `all` statements.
|
|
A direct list of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must be satisfied
|
|
for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the
|
|
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for
|
|
the audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to
|
|
produce an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: "key specifies the audit annotation
|
|
key. The audit annotation keys of a ValidatingAdmissionPolicy
|
|
must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
|
|
than 63 bytes in length. \n The key is combined
|
|
with the resource name of the ValidatingAdmissionPolicy
|
|
to construct an audit annotation key: \"{ValidatingAdmissionPolicy
|
|
name}/{key}\". \n If an admission webhook
|
|
uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation
|
|
key will be identical. In this case, the
|
|
first annotation written with the key will
|
|
be included in the audit event and all subsequent
|
|
annotations with the same key will be discarded.
|
|
\n Required."
|
|
type: string
|
|
valueExpression:
|
|
description: "valueExpression represents the
|
|
expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression
|
|
must evaluate to either a string or null
|
|
value. If the expression evaluates to a
|
|
string, the audit annotation is included
|
|
with the string value. If the expression
|
|
evaluates to null or empty string the audit
|
|
annotation will be omitted. The valueExpression
|
|
may be no longer than 5kb in length. If
|
|
the result of the valueExpression is more
|
|
than 10kb in length, it will be truncated
|
|
to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
|
|
resources match an API request, then the
|
|
valueExpression will be evaluated for each
|
|
binding. All unique values produced by the
|
|
valueExpressions will be joined together
|
|
in a comma-separated list. \n Required."
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL. ref: https://github.com/google/cel-spec
|
|
CEL expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful
|
|
variables: \n - 'object' - The object from
|
|
the incoming request. The value is null
|
|
for DELETE requests. - 'oldObject' - The
|
|
existing object. The value is null for CREATE
|
|
requests. - 'request' - Attributes of the
|
|
API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
|
- 'params' - Parameter resource referred
|
|
to by the policy binding being evaluated.
|
|
Only populated if the policy has a ParamKind.
|
|
- 'namespaceObject' - The namespace object
|
|
that the incoming object belongs to. The
|
|
value is null for cluster-scoped resources.
|
|
- 'variables' - Map of composited variables,
|
|
from its name to its lazily evaluated value.
|
|
For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'. - 'authorizer'
|
|
- A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user
|
|
or service account) of the request. See
|
|
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
- 'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the request resource. \n The `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the
|
|
object. No other metadata properties are
|
|
accessible. \n Only property names of the
|
|
form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
|
|
accessible. Accessible property names are
|
|
escaped according to the following rules
|
|
when accessed in the expression: - '__'
|
|
escapes to '__underscores__' - '.' escapes
|
|
to '__dot__' - '-' escapes to '__dash__'
|
|
- '/' escapes to '__slash__' - Property
|
|
names that exactly match a CEL RESERVED
|
|
keyword escape to '__{keyword}__'. The keywords
|
|
are: \"true\", \"false\", \"null\", \"in\",
|
|
\"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\",
|
|
\"import\", \"let\", \"loop\", \"package\",
|
|
\"namespace\", \"return\". Examples: - Expression
|
|
accessing a property named \"namespace\":
|
|
{\"Expression\": \"object.__namespace__
|
|
> 0\"} - Expression accessing a property
|
|
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
|
|
> 0\"} - Expression accessing a property
|
|
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
|
|
> 0\"} \n Equality on arrays with list type
|
|
of 'set' or 'map' ignores element order,
|
|
i.e. [1, 2] == [2, 1]. Concatenation on
|
|
arrays with x-kubernetes-list-type use the
|
|
semantics of the list type: - 'set': `X
|
|
+ Y` performs a union where the array positions
|
|
of all elements in `X` are preserved and
|
|
non-intersecting elements in `Y` are appended,
|
|
retaining their partial order. - 'map':
|
|
`X + Y` performs a merge where the array
|
|
positions of all keys in `X` are preserved
|
|
but the values are overwritten by values
|
|
in `Y` when the key sets of `X` and `Y`
|
|
intersect. Elements in `Y` with non-intersecting
|
|
keys are appended, retaining their partial
|
|
order. Required."
|
|
type: string
|
|
message:
|
|
description: 'Message represents the message
|
|
displayed when validation fails. The message
|
|
is required if the Expression contains line
|
|
breaks. The message must not contain line
|
|
breaks. If unset, the message is "failed
|
|
rule: {Rule}". e.g. "must be a URL with
|
|
the host matching spec.host" If the Expression
|
|
contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression:
|
|
{Expression}".'
|
|
type: string
|
|
messageExpression:
|
|
description: 'messageExpression declares a
|
|
CEL expression that evaluates to the validation
|
|
failure message that is returned when this
|
|
rule fails. Since messageExpression is used
|
|
as a failure message, it must evaluate to
|
|
a string. If both message and messageExpression
|
|
are present on a validation, then messageExpression
|
|
will be used if validation fails. If messageExpression
|
|
results in a runtime error, the runtime
|
|
error is logged, and the validation failure
|
|
message is produced as if the messageExpression
|
|
field were unset. If messageExpression evaluates
|
|
to an empty string, a string with only spaces,
|
|
or a string that contains line breaks, then
|
|
the validation failure message will also
|
|
be produced as if the messageExpression
|
|
field were unset, and the fact that messageExpression
|
|
produced an empty string/string with only
|
|
spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the
|
|
same variables as the `expression` except
|
|
for ''authorizer'' and ''authorizer.requestResource''.
|
|
Example: "object.x must be less than max
|
|
("+string(params.max)+")"'
|
|
type: string
|
|
reason:
|
|
description: 'Reason represents a machine-readable
|
|
description of why this validation failed.
|
|
If this is the first validation in the list
|
|
to fail, this reason, as well as the corresponding
|
|
HTTP response code, are used in the HTTP
|
|
response to the client. The currently supported
|
|
reasons are: "Unauthorized", "Forbidden",
|
|
"Invalid", "RequestEntityTooLarge". If not
|
|
set, StatusReasonInvalid is used in the
|
|
response to the client.'
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind
|
|
and Version.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion is the API group version
|
|
the resources belong to. In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: Kind is the API kind the resources
|
|
belong to. Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: "`name` is the name of the resource
|
|
being referenced. \n `name` and `selector`
|
|
are mutually exclusive properties. If one
|
|
is set, the other must be unset."
|
|
type: string
|
|
namespace:
|
|
description: "namespace is the namespace of
|
|
the referenced resource. Allows limiting the
|
|
search for params to a specific namespace.
|
|
Applies to both `name` and `selector` fields.
|
|
\n A per-namespace parameter may be used by
|
|
specifying a namespace-scoped `paramKind`
|
|
in the policy and leaving this field empty.
|
|
\n - If `paramKind` is cluster-scoped, this
|
|
field MUST be unset. Setting this field results
|
|
in a configuration error. \n - If `paramKind`
|
|
is namespace-scoped, the namespace of the
|
|
object being evaluated for admission will
|
|
be used when this field is left unset. Take
|
|
care that if this is left empty the binding
|
|
must not match any cluster-scoped resources,
|
|
which will result in an error."
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: "`parameterNotFoundAction` controls
|
|
the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but
|
|
there are no parameters matched by the binding.
|
|
If the value is set to `Allow`, then no matched
|
|
parameters will be treated as successful validation
|
|
by the binding. If set to `Deny`, then no
|
|
matched parameters will be subject to the
|
|
`failurePolicy` of the policy. \n Allowed
|
|
values are `Allow` or `Deny` Default to `Deny`"
|
|
type: string
|
|
selector:
|
|
description: "selector can be used to match
|
|
multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources
|
|
of the ParamKind. \n If multiple params are
|
|
found, they are all evaluated with the policy
|
|
expressions and the results are ANDed together.
|
|
\n One of `name` or `selector` must be set,
|
|
but `name` and `selector` are mutually exclusive
|
|
properties. If one is set, the other must
|
|
be unset."
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a
|
|
key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists
|
|
and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of
|
|
string values. If the operator is
|
|
In or NotIn, the values array must
|
|
be non-empty. If the operator is
|
|
Exists or DoesNotExist, the values
|
|
array must be empty. This array
|
|
is replaced during a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: Variables contain definitions of variables
|
|
that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under
|
|
`variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition.
|
|
properties:
|
|
expression:
|
|
description: Expression is the expression
|
|
that will be evaluated as the value of the
|
|
variable. The CEL expression has access
|
|
to the same identifiers as the CEL expressions
|
|
in Validation.
|
|
type: string
|
|
name:
|
|
description: Name is the name of the variable.
|
|
The name must be a valid CEL identifier
|
|
and unique among all variables. The variable
|
|
can be accessed in other expressions through
|
|
`variables` For example, if name is "foo",
|
|
the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or
|
|
fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements)
|
|
is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
foreach:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must
|
|
be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and
|
|
data sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request
|
|
to the Kubernetes API server, or other
|
|
JSON web service. The data returned is
|
|
stored in the context with the name for
|
|
the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST
|
|
data sent to the server.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the JSON response
|
|
returned from the server. For example
|
|
a JMESPath of "items | length(@)"
|
|
applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call
|
|
to a JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to
|
|
validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web
|
|
service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path
|
|
to be used in the HTTP GET or POST
|
|
request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format
|
|
used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch
|
|
image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies
|
|
a list of OCI Registry names,
|
|
whose authentication providers
|
|
are provided It can be of one
|
|
of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a
|
|
list of secrets that are provided
|
|
for credentials Secrets must live
|
|
in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the ImageData struct
|
|
returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional
|
|
arbitrary JSON object that the variable
|
|
may take if the JMESPath expression
|
|
evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JMESPath Expression that can be used
|
|
to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct
|
|
list of conditions (without `any` or `all`
|
|
statements) is also supported for backwards
|
|
compatibility but will be deprecated in
|
|
the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: ElementScope specifies whether to
|
|
use the current list element as the scope for
|
|
validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used
|
|
as the validation scope within the foreach block
|
|
to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which
|
|
the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style
|
|
pattern used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of
|
|
annotation for message and signature. Default
|
|
is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required
|
|
number of entries that must match. If the
|
|
count is null, all entries must match (a
|
|
logical AND). If the count is 1, at least
|
|
one entry must match (a logical OR). If
|
|
the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or
|
|
a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for
|
|
image verification. Every specified
|
|
key-value pair must exist and match
|
|
in the verified payload. The payload
|
|
may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set
|
|
of match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is
|
|
an optional PEM encoded set of
|
|
certificates used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless
|
|
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted root
|
|
certificates. If not provided,
|
|
the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI
|
|
to the public key stored in a
|
|
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image
|
|
signatures. The keys can be directly
|
|
specified or can be a variable
|
|
reference to a key specified in
|
|
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format
|
|
"k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify
|
|
a key `cosign.pub` containing
|
|
the public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a separate
|
|
staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors and
|
|
the count is applied across the
|
|
keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use for
|
|
signatures and attestations that match
|
|
this rule. If specified Repository
|
|
will override other OCI image repository
|
|
locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while
|
|
comparing manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor
|
|
or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be
|
|
displayed on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: PodSecurity applies exemptions for Kubernetes
|
|
Pod Security admission by specifying exclusions for
|
|
Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security
|
|
Standard controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the
|
|
Pod Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: 'ControlName specifies the name
|
|
of the Pod Security Standard control. See:
|
|
https://kubernetes.io/docs/concepts/security/pod-security-standards/'
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: 'Images selects matching containers
|
|
and applies the container level PSS. Each
|
|
image is the image name consisting of the
|
|
registry address, repository, image, and
|
|
tag. Empty list matches no containers, PSS
|
|
checks are applied at the pod level only.
|
|
Wildcards (''*'' and ''?'') are allowed.
|
|
See: https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: Level defines the Pod Security Standard
|
|
level to be applied to workloads. Allowed values
|
|
are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: Version defines the Pod Security Standard
|
|
versions that Kubernetes supports. Allowed values
|
|
are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
|
|
v1.25, v1.26, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: ImageVerification validates that images that
|
|
match the specified pattern are signed with the supplied
|
|
public key. Once the image is verified it is mutated
|
|
to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: Attestations are optional checks for
|
|
signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno
|
|
fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: Attestation are checks for signed in-toto
|
|
Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno
|
|
fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required
|
|
attestors (i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required
|
|
number of entries that must match. If
|
|
the count is null, all entries must
|
|
match (a logical AND). If the count
|
|
is 1, at least one entry must match
|
|
(a logical OR). If the count contains
|
|
a value N, then N must be less than
|
|
or equal to the size of entries, and
|
|
at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static
|
|
key, attributes for keyless verification,
|
|
or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used
|
|
for image verification. Every
|
|
specified key-value pair must
|
|
exist and match in the verified
|
|
payload. The payload may contain
|
|
other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested
|
|
AttestorSet used to specify a
|
|
more complex set of match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is
|
|
an optional PEM encoded public
|
|
certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain
|
|
is an optional PEM encoded
|
|
set of certificates used to
|
|
verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides
|
|
configuration for validation
|
|
of SCTs. If the value is nil,
|
|
default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey,
|
|
if set, is used to validate
|
|
SCTs against those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides
|
|
configuration for the Rekor
|
|
transparency log service.
|
|
If an empty object is provided
|
|
the public instance of Rekor
|
|
(https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skip tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey
|
|
is an optional PEM encoded
|
|
public key to use for
|
|
a custom Rekor. If set,
|
|
is used to validate signatures
|
|
on log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of
|
|
attribute used to verify a Sigstore
|
|
keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions
|
|
used for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides
|
|
configuration for validation
|
|
of SCTs. If the value is nil,
|
|
default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey,
|
|
if set, is used to validate
|
|
SCTs against those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides
|
|
configuration for the Rekor
|
|
transparency log service.
|
|
If an empty object is provided
|
|
the public instance of Rekor
|
|
(https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skip tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey
|
|
is an optional PEM encoded
|
|
public key to use for
|
|
a custom Rekor. If set,
|
|
is used to validate signatures
|
|
on log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted
|
|
root certificates. If not
|
|
provided, the system roots
|
|
are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the
|
|
verified identity used for
|
|
keyless signing, for example
|
|
the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one
|
|
or more public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides
|
|
configuration for validation
|
|
of SCTs. If the value is nil,
|
|
default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey,
|
|
if set, is used to validate
|
|
SCTs against those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the
|
|
URI to the public key stored
|
|
in a Key Management System.
|
|
See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of
|
|
X.509 public keys used to
|
|
verify image signatures. The
|
|
keys can be directly specified
|
|
or can be a variable reference
|
|
to a key specified in a ConfigMap
|
|
(see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format
|
|
"k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify
|
|
a key `cosign.pub` containing
|
|
the public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a
|
|
separate staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors
|
|
and the count is applied across
|
|
the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides
|
|
configuration for the Rekor
|
|
transparency log service.
|
|
If an empty object is provided
|
|
the public instance of Rekor
|
|
(https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skip tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey
|
|
is an optional PEM encoded
|
|
public key to use for
|
|
a custom Rekor. If set,
|
|
is used to validate signatures
|
|
on log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a
|
|
Secret resource that contains
|
|
a public key
|
|
properties:
|
|
name:
|
|
description: Name of the
|
|
secret. The provided secret
|
|
must contain a key named
|
|
cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature
|
|
algorithm for public keys.
|
|
Supported values are sha256
|
|
and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use
|
|
for signatures and attestations
|
|
that match this rule. If specified
|
|
Repository will override other
|
|
OCI image repository locations
|
|
for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: Conditions are used to verify attributes
|
|
within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long
|
|
there are predicates that match the predicate
|
|
type.
|
|
items:
|
|
description: AnyAllConditions consists of
|
|
conditions wrapped denoting a logical criteria
|
|
to be fulfilled. AnyConditions get fulfilled
|
|
when at least one of its sub-conditions
|
|
passes. AllConditions get fulfilled only
|
|
when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is
|
|
useful for finer control of when an
|
|
rule is applied. A condition can reference
|
|
object data using JMESPath notation.
|
|
Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is
|
|
useful for finer control of when an
|
|
rule is applied. A condition can reference
|
|
object data using JMESPath notation.
|
|
Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type',
|
|
to be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is
|
|
null, all entries must match (a logical AND).
|
|
If the count is 1, at least one entry must
|
|
match (a logical OR). If the count contains
|
|
a value N, then N must be less than or equal
|
|
to the size of entries, and at least N entries
|
|
must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a
|
|
nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for
|
|
image verification. Every specified
|
|
key-value pair must exist and match
|
|
in the verified payload. The payload
|
|
may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of
|
|
match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an
|
|
optional PEM encoded set of certificates
|
|
used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key
|
|
is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an
|
|
optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries from
|
|
Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key
|
|
is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an
|
|
optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries from
|
|
Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted root
|
|
certificates. If not provided, the
|
|
system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key
|
|
is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI
|
|
to the public key stored in a Key
|
|
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image
|
|
signatures. The keys can be directly
|
|
specified or can be a variable reference
|
|
to a key specified in a ConfigMap
|
|
(see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a
|
|
key `cosign.pub` containing the
|
|
public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a separate
|
|
staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors and
|
|
the count is applied across the
|
|
keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an
|
|
optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries from
|
|
Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use for
|
|
signatures and attestations that match
|
|
this rule. If specified Repository will
|
|
override other OCI image repository
|
|
locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: 'ImageReferences is a list of matching
|
|
image reference patterns. At least one pattern in
|
|
the list must match the image for the rule to apply.
|
|
Each image reference consists of a registry address
|
|
(defaults to docker.io), repository, image, and
|
|
tag (defaults to latest). Wildcards (''*'' and ''?'')
|
|
are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of OCI
|
|
Registry names, whose authentication providers
|
|
are provided It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets
|
|
that are provided for credentials Secrets must
|
|
live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: MutateDigest enables replacement of image
|
|
tags with digests. Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: Repository is an optional alternate OCI
|
|
repository to use for image signatures and attestations
|
|
that match this rule. If specified Repository will
|
|
override the default OCI image repository configured
|
|
for the installation. The repository can also be
|
|
overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: Type specifies the method of signature
|
|
validation. The allowed options are Cosign and Notary.
|
|
By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have
|
|
a digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
conditions:
|
|
items:
|
|
description: "Condition contains details for one aspect of the current
|
|
state of this API Resource. --- This struct is intended for direct
|
|
use as an array at the field path .status.conditions. For example,
|
|
\n type FooStatus struct{ // Represents the observations of a
|
|
foo's current state. // Known .status.conditions.type are: \"Available\",
|
|
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
|
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
|
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
|
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Deprecated in favor of Conditions
|
|
type: boolean
|
|
rulecount:
|
|
description: RuleCountStatus contains four variables which describes
|
|
counts for validate, generate, mutate and verify images rules
|
|
properties:
|
|
generate:
|
|
description: Count for generate rules in policy
|
|
type: integer
|
|
mutate:
|
|
description: Count for mutate rules in policy
|
|
type: integer
|
|
validate:
|
|
description: Count for validate rules in policy
|
|
type: integer
|
|
verifyimages:
|
|
description: Count for verify image rules in policy
|
|
type: integer
|
|
required:
|
|
- generate
|
|
- mutate
|
|
- validate
|
|
- verifyimages
|
|
type: object
|
|
validatingadmissionpolicy:
|
|
description: ValidatingAdmissionPolicy contains status information
|
|
properties:
|
|
generated:
|
|
description: Generated indicates whether a validating admission
|
|
policy is generated from the policy or not
|
|
type: boolean
|
|
message:
|
|
description: Message is a human readable message indicating details
|
|
about the generation of validating admission policy It is an
|
|
empty string when validating admission policy is successfully
|
|
generated.
|
|
type: string
|
|
required:
|
|
- generated
|
|
- message
|
|
type: object
|
|
required:
|
|
- ready
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.admission
|
|
name: ADMISSION
|
|
type: boolean
|
|
- jsonPath: .spec.background
|
|
name: BACKGROUND
|
|
type: boolean
|
|
- jsonPath: .spec.validationFailureAction
|
|
name: VALIDATE ACTION
|
|
type: string
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].status
|
|
name: READY
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .spec.failurePolicy
|
|
name: FAILURE POLICY
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.rulecount.validate
|
|
name: VALIDATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.mutate
|
|
name: MUTATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.generate
|
|
name: GENERATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.verifyimages
|
|
name: VERIFY IMAGES
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].message
|
|
name: MESSAGE
|
|
type: string
|
|
name: v2beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: 'Policy declares validation, mutation, and generation behaviors
|
|
for matching resources. See: https://kyverno.io/docs/writing-policies/ for
|
|
more information.'
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec defines policy behaviors and contains one or more rules.
|
|
properties:
|
|
admission:
|
|
default: true
|
|
description: Admission controls if rules are applied during admission.
|
|
Optional. Default value is "true".
|
|
type: boolean
|
|
applyRules:
|
|
description: ApplyRules controls how rules in a policy are applied.
|
|
Rule are processed in the order of declaration. When set to `One`
|
|
processing stops after a rule has been applied i.e. the rule matches
|
|
and results in a pass, fail, or error. When set to `All` all rules
|
|
in the policy are processed. The default is `All`.
|
|
enum:
|
|
- All
|
|
- One
|
|
type: string
|
|
background:
|
|
default: true
|
|
description: Background controls if rules are applied to existing
|
|
resources during a background scan. Optional. Default value is "true".
|
|
The value must be set to "false" if the policy rule uses variables
|
|
that are only available in the admission review request (e.g. user
|
|
name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: FailurePolicy defines how unexpected policy errors and
|
|
webhook response timeout errors are handled. Rules within the same
|
|
policy share the same failure behavior. Allowed values are Ignore
|
|
or Fail. Defaults to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExisting:
|
|
description: GenerateExisting controls whether to trigger generate
|
|
rule in existing resources If is set to "true" generate rule will
|
|
be triggered and applied to existing matched resources. Defaults
|
|
to "false" if not specified.
|
|
type: boolean
|
|
generateExistingOnPolicyUpdate:
|
|
description: Deprecated, use generateExisting instead
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
|
policy is applied on policy events. Default value is "false".
|
|
type: boolean
|
|
rules:
|
|
description: Rules is a list of Rule instances. A Policy contains
|
|
multiple rules and each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: Rule defines a validation, mutation, or generation
|
|
control for matching resources. Each rules contains a match declaration
|
|
to select resources, and an optional exclude declaration to specify
|
|
which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: CELPreconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of CEL conditions.
|
|
It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression which
|
|
will be evaluated by CEL. Must evaluate to bool. CEL
|
|
expressions have access to the contents of the AdmissionRequest
|
|
and Authorizer, organized into CEL variables: \n 'object'
|
|
- The object from the incoming request. The value is
|
|
null for DELETE requests. 'oldObject' - The existing
|
|
object. The value is null for CREATE requests. 'request'
|
|
- Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user or service
|
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
|
from the 'authorizer' and configured with the request
|
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
\n Required."
|
|
type: string
|
|
name:
|
|
description: "Name is an identifier for this match condition,
|
|
used for strategic merging of MatchConditions, as well
|
|
as providing an identifier for logging purposes. A good
|
|
name should be descriptive of the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric
|
|
characters, '-', '_' or '.', and must start and end
|
|
with an alphanumeric character (e.g. 'MyName', or 'my.name',
|
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
|
with an optional DNS subdomain prefix and '/' (e.g.
|
|
'example.com/MyName') \n Required."
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data sources
|
|
to a rule Context. Either a ConfigMap reference or a APILookup
|
|
must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the Kubernetes
|
|
API server, or other JSON web service. The data returned
|
|
is stored in the context with the name for the context
|
|
entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data sent to
|
|
the server.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for
|
|
the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the JSON response
|
|
returned from the server. For example a JMESPath
|
|
of "items | length(@)" applied to the API server
|
|
response for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments across
|
|
all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a JSON web
|
|
service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded CA bundle
|
|
which will be used to validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service URL.
|
|
A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to be used in
|
|
the HTTP GET or POST request to the Kubernetes API
|
|
server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the
|
|
`kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests to an OCI/Docker
|
|
V2 registry to fetch image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of OCI
|
|
Registry names, whose authentication providers
|
|
are provided It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets
|
|
that are provided for credentials Secrets must
|
|
live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match Expression
|
|
that can be used to transform the ImageData struct
|
|
returned as a result of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference to a container
|
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary JSON
|
|
object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath Expression
|
|
that can be used to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: ExcludeResources defines when this policy rule
|
|
should not be applied. The exclude criteria can include resource
|
|
information (e.g. kind, name, namespace, labels) and admission
|
|
review request information like the name or role.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: Clone specifies the source resource used to
|
|
populate each generated resource. At most one of Data
|
|
or Clone can be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source resource
|
|
used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
selector:
|
|
description: Selector is a label selector. Label keys
|
|
and values in `matchLabels`. wildcard characters are
|
|
not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a
|
|
selector that contains values, a key, and an
|
|
operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the
|
|
values array must be empty. This array is
|
|
replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In",
|
|
and the values array contains only "value". The
|
|
requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: Data provides the resource declaration used
|
|
to populate each generated resource. At most one of Data
|
|
or Clone must be specified. If neither are provided, the
|
|
generated resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
synchronize:
|
|
description: Synchronize controls if generated resources
|
|
should be kept in-sync with their source resource. If
|
|
Synchronize is set to "true" changes to generated resources
|
|
will be overwritten with resource data from Data or the
|
|
resource specified in the Clone declaration. Optional.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: 'JMESPath is an optional JMESPath expression
|
|
to apply to the image value. This is useful when the
|
|
extracted image begins with a prefix like ''docker://''.
|
|
The ''trim_prefix'' function may be used to trim the
|
|
prefix: trim_prefix(@, ''docker://''). Note - Image
|
|
digest mutation may not be used when applying a JMESPAth
|
|
to an image.'
|
|
type: string
|
|
key:
|
|
description: Key is an optional name of the field within
|
|
'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: Name is the entry the image will be available
|
|
under 'images.<name>' in the context. If this field
|
|
is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: Path is the path to the object containing
|
|
the image field in a custom resource. It should be
|
|
slash-separated. Each slash-separated key must be
|
|
a valid YAML key or a wildcard '*'. Wildcard keys
|
|
are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: Value is an optional name of the field
|
|
within 'path' that points to the image URI. This is
|
|
useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: ImageExtractors defines a mapping from kinds to
|
|
ImageExtractorConfigs. This config is only valid for verifyImages
|
|
rules.
|
|
type: object
|
|
match:
|
|
description: MatchResources defines when this policy rule should
|
|
be applied. The match criteria can include resource information
|
|
(e.g. kind, name, namespace, labels) and admission review
|
|
request information like the user name or role. At least one
|
|
kind is required.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated
|
|
in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key
|
|
and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the
|
|
wildcard characters `*` (matches zero or many
|
|
characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*"
|
|
: "*"] matches any key and value but does not
|
|
match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a
|
|
key, and an operator that relates the
|
|
key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only
|
|
"value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the
|
|
object or user identities a role binding applies
|
|
to. This can either hold a direct API object
|
|
reference, or a value for non-objects such as
|
|
user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of
|
|
the referenced subject. Defaults to "" for
|
|
ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as
|
|
"User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules to
|
|
a list of sub-elements by creating a context for each
|
|
entry in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the
|
|
Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context
|
|
with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data
|
|
sent to the server.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the server.
|
|
For example a JMESPath of "items | length(@)"
|
|
applied to the API server response for
|
|
the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a
|
|
JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service
|
|
URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET or POST request
|
|
to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command. See
|
|
https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a
|
|
list of OCI Registry names, whose
|
|
authentication providers are provided
|
|
It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list
|
|
of secrets that are provided for credentials
|
|
Secrets must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: Order defines the iteration order on
|
|
the list. Can be Ascending to iterate from first
|
|
to last element or Descending to iterate in from
|
|
last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge
|
|
patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902
|
|
JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge patch
|
|
used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
|
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for mutating
|
|
existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the
|
|
Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context
|
|
with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data
|
|
sent to the server.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the server.
|
|
For example a JMESPath of "items | length(@)"
|
|
applied to the API server response for
|
|
the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a
|
|
JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service
|
|
URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET or POST request
|
|
to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command. See
|
|
https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a
|
|
list of OCI Registry names, whose
|
|
authentication providers are provided
|
|
It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list
|
|
of secrets that are provided for credentials
|
|
Secrets must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but will
|
|
be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of conditions.
|
|
The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based conditional
|
|
rule execution. This is useful for finer control of when
|
|
an rule is applied. A condition can reference object data
|
|
using JMESPath notation. Here, all of the conditions need
|
|
to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional operation
|
|
to perform. Valid operators are: Equals, NotEquals,
|
|
In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value, or set
|
|
of values. The values can be fixed set or can be
|
|
variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based conditional
|
|
rule execution. This is useful for finer control of when
|
|
an rule is applied. A condition can reference object data
|
|
using JMESPath notation. Here, at least one of the conditions
|
|
need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional operation
|
|
to perform. Valid operators are: Equals, NotEquals,
|
|
In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value, or set
|
|
of values. The values can be fixed set or can be
|
|
variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation patterns.
|
|
At least one of the patterns must be satisfied for the
|
|
validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the Common
|
|
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for the
|
|
audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to produce
|
|
an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: "key specifies the audit annotation
|
|
key. The audit annotation keys of a ValidatingAdmissionPolicy
|
|
must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than
|
|
63 bytes in length. \n The key is combined with
|
|
the resource name of the ValidatingAdmissionPolicy
|
|
to construct an audit annotation key: \"{ValidatingAdmissionPolicy
|
|
name}/{key}\". \n If an admission webhook uses
|
|
the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation
|
|
key will be identical. In this case, the first
|
|
annotation written with the key will be included
|
|
in the audit event and all subsequent annotations
|
|
with the same key will be discarded. \n Required."
|
|
type: string
|
|
valueExpression:
|
|
description: "valueExpression represents the expression
|
|
which is evaluated by CEL to produce an audit
|
|
annotation value. The expression must evaluate
|
|
to either a string or null value. If the expression
|
|
evaluates to a string, the audit annotation
|
|
is included with the string value. If the expression
|
|
evaluates to null or empty string the audit
|
|
annotation will be omitted. The valueExpression
|
|
may be no longer than 5kb in length. If the
|
|
result of the valueExpression is more than 10kb
|
|
in length, it will be truncated to 10kb. \n
|
|
If multiple ValidatingAdmissionPolicyBinding
|
|
resources match an API request, then the valueExpression
|
|
will be evaluated for each binding. All unique
|
|
values produced by the valueExpressions will
|
|
be joined together in a comma-separated list.
|
|
\n Required."
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL. ref: https://github.com/google/cel-spec
|
|
CEL expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful variables:
|
|
\n - 'object' - The object from the incoming
|
|
request. The value is null for DELETE requests.
|
|
- 'oldObject' - The existing object. The value
|
|
is null for CREATE requests. - 'request' - Attributes
|
|
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
|
- 'params' - Parameter resource referred to
|
|
by the policy binding being evaluated. Only
|
|
populated if the policy has a ParamKind. - 'namespaceObject'
|
|
- The namespace object that the incoming object
|
|
belongs to. The value is null for cluster-scoped
|
|
resources. - 'variables' - Map of composited
|
|
variables, from its name to its lazily evaluated
|
|
value. For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'. - 'authorizer'
|
|
- A CEL Authorizer. May be used to perform authorization
|
|
checks for the principal (user or service account)
|
|
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
- 'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the request resource. \n The `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the object.
|
|
No other metadata properties are accessible.
|
|
\n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible. Accessible property names are
|
|
escaped according to the following rules when
|
|
accessed in the expression: - '__' escapes to
|
|
'__underscores__' - '.' escapes to '__dot__'
|
|
- '-' escapes to '__dash__' - '/' escapes to
|
|
'__slash__' - Property names that exactly match
|
|
a CEL RESERVED keyword escape to '__{keyword}__'.
|
|
The keywords are: \"true\", \"false\", \"null\",
|
|
\"in\", \"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\", \"import\",
|
|
\"let\", \"loop\", \"package\", \"namespace\",
|
|
\"return\". Examples: - Expression accessing
|
|
a property named \"namespace\": {\"Expression\":
|
|
\"object.__namespace__ > 0\"} - Expression accessing
|
|
a property named \"x-prop\": {\"Expression\":
|
|
\"object.x__dash__prop > 0\"} - Expression accessing
|
|
a property named \"redact__d\": {\"Expression\":
|
|
\"object.redact__underscores__d > 0\"} \n Equality
|
|
on arrays with list type of 'set' or 'map' ignores
|
|
element order, i.e. [1, 2] == [2, 1]. Concatenation
|
|
on arrays with x-kubernetes-list-type use the
|
|
semantics of the list type: - 'set': `X + Y`
|
|
performs a union where the array positions of
|
|
all elements in `X` are preserved and non-intersecting
|
|
elements in `Y` are appended, retaining their
|
|
partial order. - 'map': `X + Y` performs a merge
|
|
where the array positions of all keys in `X`
|
|
are preserved but the values are overwritten
|
|
by values in `Y` when the key sets of `X` and
|
|
`Y` intersect. Elements in `Y` with non-intersecting
|
|
keys are appended, retaining their partial order.
|
|
Required."
|
|
type: string
|
|
message:
|
|
description: 'Message represents the message displayed
|
|
when validation fails. The message is required
|
|
if the Expression contains line breaks. The
|
|
message must not contain line breaks. If unset,
|
|
the message is "failed rule: {Rule}". e.g. "must
|
|
be a URL with the host matching spec.host" If
|
|
the Expression contains line breaks. Message
|
|
is required. The message must not contain line
|
|
breaks. If unset, the message is "failed Expression:
|
|
{Expression}".'
|
|
type: string
|
|
messageExpression:
|
|
description: 'messageExpression declares a CEL
|
|
expression that evaluates to the validation
|
|
failure message that is returned when this rule
|
|
fails. Since messageExpression is used as a
|
|
failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present
|
|
on a validation, then messageExpression will
|
|
be used if validation fails. If messageExpression
|
|
results in a runtime error, the runtime error
|
|
is logged, and the validation failure message
|
|
is produced as if the messageExpression field
|
|
were unset. If messageExpression evaluates to
|
|
an empty string, a string with only spaces,
|
|
or a string that contains line breaks, then
|
|
the validation failure message will also be
|
|
produced as if the messageExpression field were
|
|
unset, and the fact that messageExpression produced
|
|
an empty string/string with only spaces/string
|
|
with line breaks will be logged. messageExpression
|
|
has access to all the same variables as the
|
|
`expression` except for ''authorizer'' and ''authorizer.requestResource''.
|
|
Example: "object.x must be less than max ("+string(params.max)+")"'
|
|
type: string
|
|
reason:
|
|
description: 'Reason represents a machine-readable
|
|
description of why this validation failed. If
|
|
this is the first validation in the list to
|
|
fail, this reason, as well as the corresponding
|
|
HTTP response code, are used in the HTTP response
|
|
to the client. The currently supported reasons
|
|
are: "Unauthorized", "Forbidden", "Invalid",
|
|
"RequestEntityTooLarge". If not set, StatusReasonInvalid
|
|
is used in the response to the client.'
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind and
|
|
Version.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion is the API group version
|
|
the resources belong to. In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: Kind is the API kind the resources
|
|
belong to. Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: "`name` is the name of the resource
|
|
being referenced. \n `name` and `selector` are
|
|
mutually exclusive properties. If one is set,
|
|
the other must be unset."
|
|
type: string
|
|
namespace:
|
|
description: "namespace is the namespace of the
|
|
referenced resource. Allows limiting the search
|
|
for params to a specific namespace. Applies to
|
|
both `name` and `selector` fields. \n A per-namespace
|
|
parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field
|
|
empty. \n - If `paramKind` is cluster-scoped,
|
|
this field MUST be unset. Setting this field results
|
|
in a configuration error. \n - If `paramKind`
|
|
is namespace-scoped, the namespace of the object
|
|
being evaluated for admission will be used when
|
|
this field is left unset. Take care that if this
|
|
is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error."
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: "`parameterNotFoundAction` controls
|
|
the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there
|
|
are no parameters matched by the binding. If the
|
|
value is set to `Allow`, then no matched parameters
|
|
will be treated as successful validation by the
|
|
binding. If set to `Deny`, then no matched parameters
|
|
will be subject to the `failurePolicy` of the
|
|
policy. \n Allowed values are `Allow` or `Deny`
|
|
Default to `Deny`"
|
|
type: string
|
|
selector:
|
|
description: "selector can be used to match multiple
|
|
param objects based on their labels. Supply selector:
|
|
{} to match all resources of the ParamKind. \n
|
|
If multiple params are found, they are all evaluated
|
|
with the policy expressions and the results are
|
|
ANDed together. \n One of `name` or `selector`
|
|
must be set, but `name` and `selector` are mutually
|
|
exclusive properties. If one is set, the other
|
|
must be unset."
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: Variables contain definitions of variables
|
|
that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under
|
|
`variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition.
|
|
properties:
|
|
expression:
|
|
description: Expression is the expression that
|
|
will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers
|
|
as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: Name is the name of the variable.
|
|
The name must be a valid CEL identifier and
|
|
unique among all variables. The variable can
|
|
be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable
|
|
will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared under
|
|
an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition
|
|
can reference object data using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn,
|
|
AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition
|
|
can reference object data using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn,
|
|
AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context for
|
|
each entry in the list and looping over it to apply
|
|
the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must be satisfied
|
|
for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data
|
|
sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the
|
|
Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context
|
|
with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data
|
|
sent to the server.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the JSON response returned from the server.
|
|
For example a JMESPath of "items | length(@)"
|
|
applied to the API server response for
|
|
the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a
|
|
JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service
|
|
URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to
|
|
be used in the HTTP GET or POST request
|
|
to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
|
or "/apis/apps/v1/deployments"). The
|
|
format required is the same format used
|
|
by the `kubectl get --raw` command. See
|
|
https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a
|
|
list of OCI Registry names, whose
|
|
authentication providers are provided
|
|
It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list
|
|
of secrets that are provided for credentials
|
|
Secrets must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON
|
|
Match Expression that can be used to transform
|
|
the ImageData struct returned as a result
|
|
of processing the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take
|
|
if the JMESPath expression evaluates to
|
|
nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform
|
|
the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct
|
|
list of conditions (without `any` or `all` statements)
|
|
is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: ElementScope specifies whether to use
|
|
the current list element as the scope for validation.
|
|
Defaults to "true" if not specified. When set to
|
|
"false", "request.object" is used as the validation
|
|
scope within the foreach block to allow referencing
|
|
other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which the
|
|
validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A
|
|
condition can reference object data using JMESPath
|
|
notation. Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn, AllIn,
|
|
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan,
|
|
DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional value,
|
|
or set of values. The values can be fixed
|
|
set or can be variables declared using
|
|
JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of annotation
|
|
for message and signature. Default is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is
|
|
null, all entries must match (a logical AND).
|
|
If the count is 1, at least one entry must match
|
|
(a logical OR). If the count contains a value
|
|
N, then N must be less than or equal to the
|
|
size of entries, and at least N entries must
|
|
match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available attestors.
|
|
An attestor can be a static key, attributes
|
|
for keyless verification, or a nested attestor
|
|
declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image
|
|
verification. Every specified key-value
|
|
pair must exist and match in the verified
|
|
payload. The payload may contain other
|
|
key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of
|
|
match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an
|
|
optional PEM encoded set of certificates
|
|
used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use
|
|
for a custom Rekor. If set, is
|
|
used to validate signatures on
|
|
log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use
|
|
for a custom Rekor. If set, is
|
|
used to validate signatures on
|
|
log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional set
|
|
of PEM encoded trusted root certificates.
|
|
If not provided, the system roots
|
|
are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI to
|
|
the public key stored in a Key Management
|
|
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image signatures.
|
|
The keys can be directly specified
|
|
or can be a variable reference to
|
|
a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster by
|
|
specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key
|
|
`cosign.pub` containing the public
|
|
key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each
|
|
key is processed as a separate staticKey
|
|
entry (.attestors[*].entries.keys)
|
|
within the set of attestors and the
|
|
count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use
|
|
for a custom Rekor. If set, is
|
|
used to validate signatures on
|
|
log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for signatures and
|
|
attestations that match this rule. If
|
|
specified Repository will override other
|
|
OCI image repository locations for this
|
|
Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while comparing
|
|
manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: Repository is an optional alternate OCI
|
|
repository to use for resource bundle reference. The
|
|
repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: PodSecurity applies exemptions for Kubernetes
|
|
Pod Security admission by specifying exclusions for Pod
|
|
Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod
|
|
Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: 'ControlName specifies the name of
|
|
the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: 'Images selects matching containers
|
|
and applies the container level PSS. Each image
|
|
is the image name consisting of the registry
|
|
address, repository, image, and tag. Empty list
|
|
matches no containers, PSS checks are applied
|
|
at the pod level only. Wildcards (''*'' and
|
|
''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: Level defines the Pod Security Standard
|
|
level to be applied to workloads. Allowed values are
|
|
privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: Version defines the Pod Security Standard
|
|
versions that Kubernetes supports. Allowed values
|
|
are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
|
|
v1.26, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: ImageVerification validates that images that
|
|
match the specified pattern are signed with the supplied
|
|
public key. Once the image is verified it is mutated to
|
|
include the SHA digest retrieved during the registration.
|
|
properties:
|
|
attestations:
|
|
description: Attestations are optional checks for signed
|
|
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
|
|
Kyverno fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: Attestation are checks for signed in-toto
|
|
Statements that are used to verify the image. See
|
|
https://github.com/in-toto/attestation. Kyverno fetches
|
|
signed attestations from the OCI registry and decodes
|
|
them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required
|
|
number of entries that must match. If the
|
|
count is null, all entries must match (a
|
|
logical AND). If the count is 1, at least
|
|
one entry must match (a logical OR). If
|
|
the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or
|
|
a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for
|
|
image verification. Every specified
|
|
key-value pair must exist and match
|
|
in the verified payload. The payload
|
|
may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set
|
|
of match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is
|
|
an optional PEM encoded set of
|
|
certificates used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless
|
|
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted root
|
|
certificates. If not provided,
|
|
the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI
|
|
to the public key stored in a
|
|
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image
|
|
signatures. The keys can be directly
|
|
specified or can be a variable
|
|
reference to a key specified in
|
|
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format
|
|
"k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify
|
|
a key `cosign.pub` containing
|
|
the public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a separate
|
|
staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors and
|
|
the count is applied across the
|
|
keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use for
|
|
signatures and attestations that match
|
|
this rule. If specified Repository
|
|
will override other OCI image repository
|
|
locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: Conditions are used to verify attributes
|
|
within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there
|
|
are predicates that match the predicate type.
|
|
items:
|
|
description: AnyAllConditions consists of conditions
|
|
wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one
|
|
of its sub-conditions passes. AllConditions
|
|
get fulfilled only when all of its sub-conditions
|
|
pass.
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type', to
|
|
be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is null,
|
|
all entries must match (a logical AND). If the
|
|
count is 1, at least one entry must match (a logical
|
|
OR). If the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available attestors.
|
|
An attestor can be a static key, attributes for
|
|
keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for image
|
|
verification. Every specified key-value
|
|
pair must exist and match in the verified
|
|
payload. The payload may contain other key-value
|
|
pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of match
|
|
authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires that
|
|
a certificate contain an embedded
|
|
SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use for
|
|
a custom Rekor. If set, is used
|
|
to validate signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires that
|
|
a certificate contain an embedded
|
|
SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use for
|
|
a custom Rekor. If set, is used
|
|
to validate signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional set
|
|
of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are
|
|
used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires that
|
|
a certificate contain an embedded
|
|
SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI to
|
|
the public key stored in a Key Management
|
|
System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509 public
|
|
keys used to verify image signatures.
|
|
The keys can be directly specified or
|
|
can be a variable reference to a key
|
|
specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying
|
|
it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key
|
|
`cosign.pub` containing the public key
|
|
used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each
|
|
key is processed as a separate staticKey
|
|
entry (.attestors[*].entries.keys) within
|
|
the set of attestors and the count is
|
|
applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the public
|
|
instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an optional
|
|
PEM encoded public key to use for
|
|
a custom Rekor. If set, is used
|
|
to validate signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret. The
|
|
provided secret must contain a key
|
|
named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for signatures and
|
|
attestations that match this rule. If specified
|
|
Repository will override other OCI image
|
|
repository locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
imageReferences:
|
|
description: 'ImageReferences is a list of matching image
|
|
reference patterns. At least one pattern in the list
|
|
must match the image for the rule to apply. Each image
|
|
reference consists of a registry address (defaults to
|
|
docker.io), repository, image, and tag (defaults to
|
|
latest). Wildcards (''*'' and ''?'') are allowed. See:
|
|
https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of OCI Registry
|
|
names, whose authentication providers are provided
|
|
It can be of one of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets that
|
|
are provided for credentials Secrets must live in
|
|
the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
mutateDigest:
|
|
default: true
|
|
description: MutateDigest enables replacement of image
|
|
tags with digests. Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: Repository is an optional alternate OCI repository
|
|
to use for image signatures and attestations that match
|
|
this rule. If specified Repository will override the
|
|
default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or
|
|
Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
type:
|
|
description: Type specifies the method of signature validation.
|
|
The allowed options are Cosign and Notary. By default
|
|
Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: SchemaValidation skips validation checks for policies
|
|
as well as patched resources. Optional. The default value is set
|
|
to "true", it must be set to "false" to disable the validation checks.
|
|
type: boolean
|
|
useServerSideApply:
|
|
description: UseServerSideApply controls whether to use server-side
|
|
apply for generate rules If is set to "true" create & update for
|
|
generate rules will use apply instead of create/update. Defaults
|
|
to "false" if not specified.
|
|
type: boolean
|
|
validationFailureAction:
|
|
default: Audit
|
|
description: ValidationFailureAction defines if a validation policy
|
|
rule violation should block the admission review request (enforce),
|
|
or allow (audit) the admission review request and report an error
|
|
in a policy report. Optional. Allowed values are audit or enforce.
|
|
The default value is "Audit".
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: ValidationFailureActionOverrides is a Cluster Policy
|
|
attribute that specifies ValidationFailureAction namespace-wise.
|
|
It overrides ValidationFailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: A label selector is a label query over a set of
|
|
resources. The result of matchLabels and matchExpressions
|
|
are ANDed. An empty label selector matches all objects. A
|
|
null label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector
|
|
that contains values, a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values.
|
|
If the operator is In or NotIn, the values array
|
|
must be non-empty. If the operator is Exists or
|
|
DoesNotExist, the values array must be empty. This
|
|
array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs.
|
|
A single {key,value} in the matchLabels map is equivalent
|
|
to an element of matchExpressions, whose key field is
|
|
"key", the operator is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookTimeoutSeconds:
|
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
|
allowed to apply this policy. After the configured time expires,
|
|
the admission request may fail, or may simply ignore the policy
|
|
results, based on the failure policy. The default timeout is 10s,
|
|
the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
autogen:
|
|
description: AutogenStatus contains autogen status information.
|
|
properties:
|
|
rules:
|
|
description: Rules is a list of Rule instances. It contains auto
|
|
generated rules added for pod controllers
|
|
items:
|
|
description: Rule defines a validation, mutation, or generation
|
|
control for matching resources. Each rules contains a match
|
|
declaration to select resources, and an optional exclude declaration
|
|
to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: CELPreconditions are used to determine if a
|
|
policy rule should be applied by evaluating a set of CEL
|
|
conditions. It can only be used with the validate.cel
|
|
subrule
|
|
items:
|
|
description: MatchCondition represents a condition which
|
|
must by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL. Must evaluate to
|
|
bool. CEL expressions have access to the contents
|
|
of the AdmissionRequest and Authorizer, organized
|
|
into CEL variables: \n 'object' - The object from
|
|
the incoming request. The value is null for DELETE
|
|
requests. 'oldObject' - The existing object. The
|
|
value is null for CREATE requests. 'request' - Attributes
|
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to
|
|
perform authorization checks for the principal (user
|
|
or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the request resource. Documentation on CEL:
|
|
https://kubernetes.io/docs/reference/using-api/cel/
|
|
\n Required."
|
|
type: string
|
|
name:
|
|
description: "Name is an identifier for this match
|
|
condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes.
|
|
A good name should be descriptive of the associated
|
|
expression. Name must be a qualified name consisting
|
|
of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character
|
|
(e.g. 'MyName', or 'my.name', or '123-abc', regex
|
|
used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
|
with an optional DNS subdomain prefix and '/' (e.g.
|
|
'example.com/MyName') \n Required."
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and data sources
|
|
to a rule Context. Either a ConfigMap reference or a
|
|
APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request to the Kubernetes
|
|
API server, or other JSON web service. The data
|
|
returned is stored in the context with the name
|
|
for the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST data sent
|
|
to the server.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match
|
|
Expression that can be used to transform the
|
|
JSON response returned from the server. For
|
|
example a JMESPath of "items | length(@)" applied
|
|
to the API server response for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments across
|
|
all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call to a JSON
|
|
web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded CA
|
|
bundle which will be used to validate the
|
|
server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web service URL.
|
|
A typical form is `https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path to be used
|
|
in the HTTP GET or POST request to the Kubernetes
|
|
API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used
|
|
by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests to an
|
|
OCI/Docker V2 registry to fetch image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of
|
|
OCI Registry names, whose authentication
|
|
providers are provided It can be of one
|
|
of these values: AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets
|
|
that are provided for credentials Secrets
|
|
must live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional JSON Match
|
|
Expression that can be used to transform the
|
|
ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference to
|
|
a container image in the registry. Example:
|
|
ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional arbitrary
|
|
JSON object that the variable may take if the
|
|
JMESPath expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional JMESPath
|
|
Expression that can be used to transform the
|
|
variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object
|
|
representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: ExcludeResources defines when this policy rule
|
|
should not be applied. The exclude criteria can include
|
|
resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name
|
|
or role.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified. Requires
|
|
at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match
|
|
is being deprecated. Please specify under "any" or
|
|
"all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*"
|
|
(matches zero or many characters) and "?" (matches
|
|
at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated in
|
|
favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key and
|
|
value but does not match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters)
|
|
and `?` (matches one character). Wildcards allows
|
|
writing label selectors like ["storage.k8s.io/*":
|
|
"*"]. Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or
|
|
a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the
|
|
referenced subject. Defaults to "" for ServiceAccount
|
|
subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the
|
|
Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: Clone specifies the source resource used
|
|
to populate each generated resource. At most one of
|
|
Data or Clone can be specified. If neither are provided,
|
|
the generated resource will be created with default
|
|
data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: Selector is a label selector. Label
|
|
keys and values in `matchLabels`. wildcard characters
|
|
are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: Data provides the resource declaration
|
|
used to populate each generated resource. At most
|
|
one of Data or Clone must be specified. If neither
|
|
are provided, the generated resource will be created
|
|
with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
synchronize:
|
|
description: Synchronize controls if generated resources
|
|
should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated
|
|
resources will be overwritten with resource data from
|
|
Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: 'JMESPath is an optional JMESPath expression
|
|
to apply to the image value. This is useful when
|
|
the extracted image begins with a prefix like
|
|
''docker://''. The ''trim_prefix'' function may
|
|
be used to trim the prefix: trim_prefix(@, ''docker://'').
|
|
Note - Image digest mutation may not be used when
|
|
applying a JMESPAth to an image.'
|
|
type: string
|
|
key:
|
|
description: Key is an optional name of the field
|
|
within 'path' that will be used to uniquely identify
|
|
an image. Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: Name is the entry the image will be
|
|
available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will
|
|
appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: Path is the path to the object containing
|
|
the image field in a custom resource. It should
|
|
be slash-separated. Each slash-separated key must
|
|
be a valid YAML key or a wildcard '*'. Wildcard
|
|
keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: Value is an optional name of the field
|
|
within 'path' that points to the image URI. This
|
|
is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: ImageExtractors defines a mapping from kinds
|
|
to ImageExtractorConfigs. This config is only valid for
|
|
verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: MatchResources defines when this policy rule
|
|
should be applied. The match criteria can include resource
|
|
information (e.g. kind, name, namespace, labels) and admission
|
|
review request information like the user name or role.
|
|
At least one kind is required.
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation
|
|
keys and values support the wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character). NOTE: "Name" is
|
|
being deprecated in favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*"
|
|
(matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label
|
|
selector for the resource namespace. Label
|
|
keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character).Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and
|
|
"?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector.
|
|
Label keys and values in `matchLabels` support
|
|
the wildcard characters `*` (matches zero
|
|
or many characters) and `?` (matches one
|
|
character). Wildcards allows writing label
|
|
selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty
|
|
label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents
|
|
a key's relationship to a set
|
|
of values. Valid operators are
|
|
In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array
|
|
of string values. If the operator
|
|
is In or NotIn, the values array
|
|
must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the
|
|
values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to
|
|
the object or user identities a role binding
|
|
applies to. This can either hold a direct
|
|
API object reference, or a value for non-objects
|
|
such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group
|
|
of the referenced subject. Defaults to
|
|
"" for ServiceAccount subjects. Defaults
|
|
to "rbac.authorization.k8s.io" for User
|
|
and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the
|
|
Authorizer does not recognized the kind
|
|
value, the Authorizer should report an
|
|
error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced
|
|
object. If the object kind is non-namespace,
|
|
such as "User" or "Group", and this value
|
|
is not empty the Authorizer should report
|
|
an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified. Requires
|
|
at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match
|
|
is being deprecated. Please specify under "any" or
|
|
"all" instead.
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a map of annotations
|
|
(key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*"
|
|
(matches zero or many characters) and "?" (matches
|
|
at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: 'Name is the name of the resource.
|
|
The name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character). NOTE: "Name" is being deprecated in
|
|
favor of "Names".'
|
|
type: string
|
|
names:
|
|
description: Names are the names of the resources.
|
|
Each name supports wildcard characters "*" (matches
|
|
zero or many characters) and "?" (at least one
|
|
character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: 'NamespaceSelector is a label selector
|
|
for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters
|
|
`*` (matches zero or many characters) and `?`
|
|
(matches one character).Wildcards allows writing
|
|
label selectors like ["storage.k8s.io/*": "*"].
|
|
Note that using ["*" : "*"] matches any key and
|
|
value but does not match an empty label set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: Namespaces is a list of namespaces
|
|
names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?"
|
|
(at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: 'Selector is a label selector. Label
|
|
keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters)
|
|
and `?` (matches one character). Wildcards allows
|
|
writing label selectors like ["storage.k8s.io/*":
|
|
"*"]. Note that using ["*" : "*"] matches any
|
|
key and value but does not match an empty label
|
|
set.'
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values, a key,
|
|
and an operator that relates the key and
|
|
values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's
|
|
relationship to a set of values. Valid
|
|
operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string
|
|
values. If the operator is In or NotIn,
|
|
the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This
|
|
array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is
|
|
"In", and the values array contains only "value".
|
|
The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: Subject contains a reference to the object
|
|
or user identities a role binding applies to. This
|
|
can either hold a direct API object reference, or
|
|
a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: APIGroup holds the API group of the
|
|
referenced subject. Defaults to "" for ServiceAccount
|
|
subjects. Defaults to "rbac.authorization.k8s.io"
|
|
for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: Kind of object being referenced.
|
|
Values defined by this API group are "User",
|
|
"Group", and "ServiceAccount". If the Authorizer
|
|
does not recognized the kind value, the Authorizer
|
|
should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: Namespace of the referenced object. If
|
|
the object kind is non-namespace, such as "User"
|
|
or "Group", and this value is not empty the
|
|
Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and
|
|
data sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request
|
|
to the Kubernetes API server, or other
|
|
JSON web service. The data returned is
|
|
stored in the context with the name for
|
|
the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST
|
|
data sent to the server.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the JSON response
|
|
returned from the server. For example
|
|
a JMESPath of "items | length(@)"
|
|
applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call
|
|
to a JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to
|
|
validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web
|
|
service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path
|
|
to be used in the HTTP GET or POST
|
|
request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format
|
|
used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch
|
|
image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies
|
|
a list of OCI Registry names,
|
|
whose authentication providers
|
|
are provided It can be of one
|
|
of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a
|
|
list of secrets that are provided
|
|
for credentials Secrets must live
|
|
in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the ImageData struct
|
|
returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional
|
|
arbitrary JSON object that the variable
|
|
may take if the JMESPath expression
|
|
evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JMESPath Expression that can be used
|
|
to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which
|
|
the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: Order defines the iteration order
|
|
on the list. Can be Ascending to iterate from
|
|
first to last element or Descending to iterate
|
|
in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic
|
|
merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC
|
|
6902 JSON Patch declarations used to modify
|
|
resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
patchStrategicMerge:
|
|
description: PatchStrategicMerge is a strategic merge
|
|
patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
|
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to
|
|
be mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for
|
|
mutating existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and
|
|
data sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request
|
|
to the Kubernetes API server, or other
|
|
JSON web service. The data returned is
|
|
stored in the context with the name for
|
|
the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST
|
|
data sent to the server.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the JSON response
|
|
returned from the server. For example
|
|
a JMESPath of "items | length(@)"
|
|
applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call
|
|
to a JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to
|
|
validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web
|
|
service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path
|
|
to be used in the HTTP GET or POST
|
|
request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format
|
|
used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch
|
|
image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies
|
|
a list of OCI Registry names,
|
|
whose authentication providers
|
|
are provided It can be of one
|
|
of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a
|
|
list of secrets that are provided
|
|
for credentials Secrets must live
|
|
in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the ImageData struct
|
|
returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional
|
|
arbitrary JSON object that the variable
|
|
may take if the JMESPath expression
|
|
evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JMESPath Expression that can be used
|
|
to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must
|
|
be unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: 'Preconditions are used to determine if a policy
|
|
rule should be applied by evaluating a set of conditions.
|
|
The declaration can contain nested `any` or `all` statements.
|
|
A direct list of conditions (without `any` or `all` statements
|
|
is supported for backwards compatibility but will be deprecated
|
|
in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must be satisfied
|
|
for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the
|
|
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for
|
|
the audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to
|
|
produce an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: "key specifies the audit annotation
|
|
key. The audit annotation keys of a ValidatingAdmissionPolicy
|
|
must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
|
|
than 63 bytes in length. \n The key is combined
|
|
with the resource name of the ValidatingAdmissionPolicy
|
|
to construct an audit annotation key: \"{ValidatingAdmissionPolicy
|
|
name}/{key}\". \n If an admission webhook
|
|
uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation
|
|
key will be identical. In this case, the
|
|
first annotation written with the key will
|
|
be included in the audit event and all subsequent
|
|
annotations with the same key will be discarded.
|
|
\n Required."
|
|
type: string
|
|
valueExpression:
|
|
description: "valueExpression represents the
|
|
expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression
|
|
must evaluate to either a string or null
|
|
value. If the expression evaluates to a
|
|
string, the audit annotation is included
|
|
with the string value. If the expression
|
|
evaluates to null or empty string the audit
|
|
annotation will be omitted. The valueExpression
|
|
may be no longer than 5kb in length. If
|
|
the result of the valueExpression is more
|
|
than 10kb in length, it will be truncated
|
|
to 10kb. \n If multiple ValidatingAdmissionPolicyBinding
|
|
resources match an API request, then the
|
|
valueExpression will be evaluated for each
|
|
binding. All unique values produced by the
|
|
valueExpressions will be joined together
|
|
in a comma-separated list. \n Required."
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL. ref: https://github.com/google/cel-spec
|
|
CEL expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful
|
|
variables: \n - 'object' - The object from
|
|
the incoming request. The value is null
|
|
for DELETE requests. - 'oldObject' - The
|
|
existing object. The value is null for CREATE
|
|
requests. - 'request' - Attributes of the
|
|
API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
|
- 'params' - Parameter resource referred
|
|
to by the policy binding being evaluated.
|
|
Only populated if the policy has a ParamKind.
|
|
- 'namespaceObject' - The namespace object
|
|
that the incoming object belongs to. The
|
|
value is null for cluster-scoped resources.
|
|
- 'variables' - Map of composited variables,
|
|
from its name to its lazily evaluated value.
|
|
For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'. - 'authorizer'
|
|
- A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user
|
|
or service account) of the request. See
|
|
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
- 'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the request resource. \n The `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the
|
|
object. No other metadata properties are
|
|
accessible. \n Only property names of the
|
|
form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are
|
|
accessible. Accessible property names are
|
|
escaped according to the following rules
|
|
when accessed in the expression: - '__'
|
|
escapes to '__underscores__' - '.' escapes
|
|
to '__dot__' - '-' escapes to '__dash__'
|
|
- '/' escapes to '__slash__' - Property
|
|
names that exactly match a CEL RESERVED
|
|
keyword escape to '__{keyword}__'. The keywords
|
|
are: \"true\", \"false\", \"null\", \"in\",
|
|
\"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\",
|
|
\"import\", \"let\", \"loop\", \"package\",
|
|
\"namespace\", \"return\". Examples: - Expression
|
|
accessing a property named \"namespace\":
|
|
{\"Expression\": \"object.__namespace__
|
|
> 0\"} - Expression accessing a property
|
|
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
|
|
> 0\"} - Expression accessing a property
|
|
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
|
|
> 0\"} \n Equality on arrays with list type
|
|
of 'set' or 'map' ignores element order,
|
|
i.e. [1, 2] == [2, 1]. Concatenation on
|
|
arrays with x-kubernetes-list-type use the
|
|
semantics of the list type: - 'set': `X
|
|
+ Y` performs a union where the array positions
|
|
of all elements in `X` are preserved and
|
|
non-intersecting elements in `Y` are appended,
|
|
retaining their partial order. - 'map':
|
|
`X + Y` performs a merge where the array
|
|
positions of all keys in `X` are preserved
|
|
but the values are overwritten by values
|
|
in `Y` when the key sets of `X` and `Y`
|
|
intersect. Elements in `Y` with non-intersecting
|
|
keys are appended, retaining their partial
|
|
order. Required."
|
|
type: string
|
|
message:
|
|
description: 'Message represents the message
|
|
displayed when validation fails. The message
|
|
is required if the Expression contains line
|
|
breaks. The message must not contain line
|
|
breaks. If unset, the message is "failed
|
|
rule: {Rule}". e.g. "must be a URL with
|
|
the host matching spec.host" If the Expression
|
|
contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression:
|
|
{Expression}".'
|
|
type: string
|
|
messageExpression:
|
|
description: 'messageExpression declares a
|
|
CEL expression that evaluates to the validation
|
|
failure message that is returned when this
|
|
rule fails. Since messageExpression is used
|
|
as a failure message, it must evaluate to
|
|
a string. If both message and messageExpression
|
|
are present on a validation, then messageExpression
|
|
will be used if validation fails. If messageExpression
|
|
results in a runtime error, the runtime
|
|
error is logged, and the validation failure
|
|
message is produced as if the messageExpression
|
|
field were unset. If messageExpression evaluates
|
|
to an empty string, a string with only spaces,
|
|
or a string that contains line breaks, then
|
|
the validation failure message will also
|
|
be produced as if the messageExpression
|
|
field were unset, and the fact that messageExpression
|
|
produced an empty string/string with only
|
|
spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the
|
|
same variables as the `expression` except
|
|
for ''authorizer'' and ''authorizer.requestResource''.
|
|
Example: "object.x must be less than max
|
|
("+string(params.max)+")"'
|
|
type: string
|
|
reason:
|
|
description: 'Reason represents a machine-readable
|
|
description of why this validation failed.
|
|
If this is the first validation in the list
|
|
to fail, this reason, as well as the corresponding
|
|
HTTP response code, are used in the HTTP
|
|
response to the client. The currently supported
|
|
reasons are: "Unauthorized", "Forbidden",
|
|
"Invalid", "RequestEntityTooLarge". If not
|
|
set, StatusReasonInvalid is used in the
|
|
response to the client.'
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind
|
|
and Version.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion is the API group version
|
|
the resources belong to. In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: Kind is the API kind the resources
|
|
belong to. Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: "`name` is the name of the resource
|
|
being referenced. \n `name` and `selector`
|
|
are mutually exclusive properties. If one
|
|
is set, the other must be unset."
|
|
type: string
|
|
namespace:
|
|
description: "namespace is the namespace of
|
|
the referenced resource. Allows limiting the
|
|
search for params to a specific namespace.
|
|
Applies to both `name` and `selector` fields.
|
|
\n A per-namespace parameter may be used by
|
|
specifying a namespace-scoped `paramKind`
|
|
in the policy and leaving this field empty.
|
|
\n - If `paramKind` is cluster-scoped, this
|
|
field MUST be unset. Setting this field results
|
|
in a configuration error. \n - If `paramKind`
|
|
is namespace-scoped, the namespace of the
|
|
object being evaluated for admission will
|
|
be used when this field is left unset. Take
|
|
care that if this is left empty the binding
|
|
must not match any cluster-scoped resources,
|
|
which will result in an error."
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: "`parameterNotFoundAction` controls
|
|
the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but
|
|
there are no parameters matched by the binding.
|
|
If the value is set to `Allow`, then no matched
|
|
parameters will be treated as successful validation
|
|
by the binding. If set to `Deny`, then no
|
|
matched parameters will be subject to the
|
|
`failurePolicy` of the policy. \n Allowed
|
|
values are `Allow` or `Deny` Default to `Deny`"
|
|
type: string
|
|
selector:
|
|
description: "selector can be used to match
|
|
multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources
|
|
of the ParamKind. \n If multiple params are
|
|
found, they are all evaluated with the policy
|
|
expressions and the results are ANDed together.
|
|
\n One of `name` or `selector` must be set,
|
|
but `name` and `selector` are mutually exclusive
|
|
properties. If one is set, the other must
|
|
be unset."
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: A label selector requirement
|
|
is a selector that contains values,
|
|
a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a
|
|
key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists
|
|
and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of
|
|
string values. If the operator is
|
|
In or NotIn, the values array must
|
|
be non-empty. If the operator is
|
|
Exists or DoesNotExist, the values
|
|
array must be empty. This array
|
|
is replaced during a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value}
|
|
pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator
|
|
is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: Variables contain definitions of variables
|
|
that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under
|
|
`variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition.
|
|
properties:
|
|
expression:
|
|
description: Expression is the expression
|
|
that will be evaluated as the value of the
|
|
variable. The CEL expression has access
|
|
to the same identifiers as the CEL expressions
|
|
in Validation.
|
|
type: string
|
|
name:
|
|
description: Name is the name of the variable.
|
|
The name must be a valid CEL identifier
|
|
and unique among all variables. The variable
|
|
can be accessed in other expressions through
|
|
`variables` For example, if name is "foo",
|
|
the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or
|
|
fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements)
|
|
is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
foreach:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: AnyPattern specifies list of validation
|
|
patterns. At least one of the patterns must
|
|
be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: ContextEntry adds variables and
|
|
data sources to a rule Context. Either a ConfigMap
|
|
reference or a APILookup must be provided.
|
|
properties:
|
|
apiCall:
|
|
description: APICall is an HTTP request
|
|
to the Kubernetes API server, or other
|
|
JSON web service. The data returned is
|
|
stored in the context with the name for
|
|
the context entry.
|
|
properties:
|
|
data:
|
|
description: Data specifies the POST
|
|
data sent to the server.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the JSON response
|
|
returned from the server. For example
|
|
a JMESPath of "items | length(@)"
|
|
applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments"
|
|
will return the total count of deployments
|
|
across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST).
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: Service is an API call
|
|
to a JSON web service
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded
|
|
CA bundle which will be used to
|
|
validate the server certificate.
|
|
type: string
|
|
url:
|
|
description: URL is the JSON web
|
|
service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: URLPath is the URL path
|
|
to be used in the HTTP GET or POST
|
|
request to the Kubernetes API server
|
|
(e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format
|
|
used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: ImageRegistry defines requests
|
|
to an OCI/Docker V2 registry to fetch
|
|
image details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies
|
|
a list of OCI Registry names,
|
|
whose authentication providers
|
|
are provided It can be of one
|
|
of these values: AWS, ACR, GCP,
|
|
GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a
|
|
list of secrets that are provided
|
|
for credentials Secrets must live
|
|
in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JSON Match Expression that can be
|
|
used to transform the ImageData struct
|
|
returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: 'Reference is image reference
|
|
to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest'
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: Default is an optional
|
|
arbitrary JSON object that the variable
|
|
may take if the JMESPath expression
|
|
evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: JMESPath is an optional
|
|
JMESPath Expression that can be used
|
|
to transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: 'Multiple conditions can be declared
|
|
under an `any` or `all` statement. A direct
|
|
list of conditions (without `any` or `all`
|
|
statements) is also supported for backwards
|
|
compatibility but will be deprecated in
|
|
the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: ElementScope specifies whether to
|
|
use the current list element as the scope for
|
|
validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used
|
|
as the validation scope within the foreach block
|
|
to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: List specifies a JMESPath expression
|
|
that results in one or more elements to which
|
|
the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style
|
|
pattern used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: 'AnyAllConditions are used to determine
|
|
if a policy rule should be applied by evaluating
|
|
a set of conditions. The declaration can contain
|
|
nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, all of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is useful
|
|
for finer control of when an rule is applied.
|
|
A condition can reference object data using
|
|
JMESPath notation. Here, at least one of
|
|
the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of
|
|
annotation for message and signature. Default
|
|
is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required
|
|
number of entries that must match. If the
|
|
count is null, all entries must match (a
|
|
logical AND). If the count is 1, at least
|
|
one entry must match (a logical OR). If
|
|
the count contains a value N, then N must
|
|
be less than or equal to the size of entries,
|
|
and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or
|
|
a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for
|
|
image verification. Every specified
|
|
key-value pair must exist and match
|
|
in the verified payload. The payload
|
|
may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set
|
|
of match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is
|
|
an optional PEM encoded set of
|
|
certificates used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless
|
|
attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted root
|
|
certificates. If not provided,
|
|
the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the
|
|
value is nil, default ctlog public
|
|
key is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if
|
|
set, is used to validate SCTs
|
|
against those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI
|
|
to the public key stored in a
|
|
Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image
|
|
signatures. The keys can be directly
|
|
specified or can be a variable
|
|
reference to a key specified in
|
|
a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format
|
|
"k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify
|
|
a key `cosign.pub` containing
|
|
the public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a separate
|
|
staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors and
|
|
the count is applied across the
|
|
keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log
|
|
service. If an empty object is
|
|
provided the public instance of
|
|
Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip
|
|
tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is
|
|
an optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries
|
|
from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use for
|
|
signatures and attestations that match
|
|
this rule. If specified Repository
|
|
will override other OCI image repository
|
|
locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while
|
|
comparing manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: Repository is an optional alternate
|
|
OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor
|
|
or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be
|
|
displayed on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: PodSecurity applies exemptions for Kubernetes
|
|
Pod Security admission by specifying exclusions for
|
|
Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security
|
|
Standard controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the
|
|
Pod Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: 'ControlName specifies the name
|
|
of the Pod Security Standard control. See:
|
|
https://kubernetes.io/docs/concepts/security/pod-security-standards/'
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: 'Images selects matching containers
|
|
and applies the container level PSS. Each
|
|
image is the image name consisting of the
|
|
registry address, repository, image, and
|
|
tag. Empty list matches no containers, PSS
|
|
checks are applied at the pod level only.
|
|
Wildcards (''*'' and ''?'') are allowed.
|
|
See: https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: Level defines the Pod Security Standard
|
|
level to be applied to workloads. Allowed values
|
|
are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: Version defines the Pod Security Standard
|
|
versions that Kubernetes supports. Allowed values
|
|
are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
|
|
v1.25, v1.26, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: ImageVerification validates that images that
|
|
match the specified pattern are signed with the supplied
|
|
public key. Once the image is verified it is mutated
|
|
to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: Attestations are optional checks for
|
|
signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno
|
|
fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: Attestation are checks for signed in-toto
|
|
Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno
|
|
fetches signed attestations from the OCI registry
|
|
and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required
|
|
attestors (i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required
|
|
number of entries that must match. If
|
|
the count is null, all entries must
|
|
match (a logical AND). If the count
|
|
is 1, at least one entry must match
|
|
(a logical OR). If the count contains
|
|
a value N, then N must be less than
|
|
or equal to the size of entries, and
|
|
at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static
|
|
key, attributes for keyless verification,
|
|
or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used
|
|
for image verification. Every
|
|
specified key-value pair must
|
|
exist and match in the verified
|
|
payload. The payload may contain
|
|
other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested
|
|
AttestorSet used to specify a
|
|
more complex set of match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is
|
|
an optional PEM encoded public
|
|
certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain
|
|
is an optional PEM encoded
|
|
set of certificates used to
|
|
verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides
|
|
configuration for validation
|
|
of SCTs. If the value is nil,
|
|
default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey,
|
|
if set, is used to validate
|
|
SCTs against those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides
|
|
configuration for the Rekor
|
|
transparency log service.
|
|
If an empty object is provided
|
|
the public instance of Rekor
|
|
(https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skip tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey
|
|
is an optional PEM encoded
|
|
public key to use for
|
|
a custom Rekor. If set,
|
|
is used to validate signatures
|
|
on log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of
|
|
attribute used to verify a Sigstore
|
|
keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions
|
|
used for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides
|
|
configuration for validation
|
|
of SCTs. If the value is nil,
|
|
default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey,
|
|
if set, is used to validate
|
|
SCTs against those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides
|
|
configuration for the Rekor
|
|
transparency log service.
|
|
If an empty object is provided
|
|
the public instance of Rekor
|
|
(https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skip tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey
|
|
is an optional PEM encoded
|
|
public key to use for
|
|
a custom Rekor. If set,
|
|
is used to validate signatures
|
|
on log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted
|
|
root certificates. If not
|
|
provided, the system roots
|
|
are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the
|
|
verified identity used for
|
|
keyless signing, for example
|
|
the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one
|
|
or more public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides
|
|
configuration for validation
|
|
of SCTs. If the value is nil,
|
|
default ctlog public key is
|
|
used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain
|
|
an embedded SCT during
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey,
|
|
if set, is used to validate
|
|
SCTs against those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the
|
|
URI to the public key stored
|
|
in a Key Management System.
|
|
See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of
|
|
X.509 public keys used to
|
|
verify image signatures. The
|
|
keys can be directly specified
|
|
or can be a variable reference
|
|
to a key specified in a ConfigMap
|
|
(see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format
|
|
"k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify
|
|
a key `cosign.pub` containing
|
|
the public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a
|
|
separate staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors
|
|
and the count is applied across
|
|
the keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides
|
|
configuration for the Rekor
|
|
transparency log service.
|
|
If an empty object is provided
|
|
the public instance of Rekor
|
|
(https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skip tlog verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey
|
|
is an optional PEM encoded
|
|
public key to use for
|
|
a custom Rekor. If set,
|
|
is used to validate signatures
|
|
on log entries from Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a
|
|
Secret resource that contains
|
|
a public key
|
|
properties:
|
|
name:
|
|
description: Name of the
|
|
secret. The provided secret
|
|
must contain a key named
|
|
cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature
|
|
algorithm for public keys.
|
|
Supported values are sha256
|
|
and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use
|
|
for signatures and attestations
|
|
that match this rule. If specified
|
|
Repository will override other
|
|
OCI image repository locations
|
|
for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: Conditions are used to verify attributes
|
|
within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long
|
|
there are predicates that match the predicate
|
|
type.
|
|
items:
|
|
description: AnyAllConditions consists of
|
|
conditions wrapped denoting a logical criteria
|
|
to be fulfilled. AnyConditions get fulfilled
|
|
when at least one of its sub-conditions
|
|
passes. AllConditions get fulfilled only
|
|
when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: AllConditions enable variable-based
|
|
conditional rule execution. This is
|
|
useful for finer control of when an
|
|
rule is applied. A condition can reference
|
|
object data using JMESPath notation.
|
|
Here, all of the conditions need to
|
|
pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: AnyConditions enable variable-based
|
|
conditional rule execution. This is
|
|
useful for finer control of when an
|
|
rule is applied. A condition can reference
|
|
object data using JMESPath notation.
|
|
Here, at least one of the conditions
|
|
need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: 'Operator is the conditional
|
|
operation to perform. Valid operators
|
|
are: Equals, NotEquals, In, AnyIn,
|
|
AllIn, NotIn, AnyNotIn, AllNotIn,
|
|
GreaterThanOrEquals, GreaterThan,
|
|
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
|
DurationGreaterThan, DurationLessThanOrEquals,
|
|
DurationLessThan'
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: Value is the conditional
|
|
value, or set of values. The values
|
|
can be fixed set or can be variables
|
|
declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type',
|
|
to be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count specifies the required number
|
|
of entries that must match. If the count is
|
|
null, all entries must match (a logical AND).
|
|
If the count is 1, at least one entry must
|
|
match (a logical OR). If the count contains
|
|
a value N, then N must be less than or equal
|
|
to the size of entries, and at least N entries
|
|
must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: Entries contains the available
|
|
attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a
|
|
nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations are used for
|
|
image verification. Every specified
|
|
key-value pair must exist and match
|
|
in the verified payload. The payload
|
|
may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested AttestorSet
|
|
used to specify a more complex set of
|
|
match authorities
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates
|
|
properties:
|
|
cert:
|
|
description: Certificate is an optional
|
|
PEM encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertificateChain is an
|
|
optional PEM encoded set of certificates
|
|
used to verify
|
|
type: string
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key
|
|
is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an
|
|
optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries from
|
|
Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: Keyless is a set of attribute
|
|
used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key
|
|
is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an
|
|
optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries from
|
|
Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
roots:
|
|
description: Roots is an optional
|
|
set of PEM encoded trusted root
|
|
certificates. If not provided, the
|
|
system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys
|
|
properties:
|
|
ctlog:
|
|
description: CTLog provides configuration
|
|
for validation of SCTs. If the value
|
|
is nil, default ctlog public key
|
|
is used
|
|
properties:
|
|
ignoreSCT:
|
|
description: IgnoreSCT requires
|
|
that a certificate contain an
|
|
embedded SCT during verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: CTLogPubKey, if set,
|
|
is used to validate SCTs against
|
|
those keys.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: 'KMS provides the URI
|
|
to the public key stored in a Key
|
|
Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
|
|
type: string
|
|
publicKeys:
|
|
description: Keys is a set of X.509
|
|
public keys used to verify image
|
|
signatures. The keys can be directly
|
|
specified or can be a variable reference
|
|
to a key specified in a ConfigMap
|
|
(see https://kyverno.io/docs/writing-policies/variables/),
|
|
or reference a standard Kubernetes
|
|
Secret elsewhere in the cluster
|
|
by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a
|
|
key `cosign.pub` containing the
|
|
public key used for verification,
|
|
(see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified
|
|
each key is processed as a separate
|
|
staticKey entry (.attestors[*].entries.keys)
|
|
within the set of attestors and
|
|
the count is applied across the
|
|
keys.
|
|
type: string
|
|
rekor:
|
|
description: Rekor provides configuration
|
|
for the Rekor transparency log service.
|
|
If an empty object is provided the
|
|
public instance of Rekor (https://rekor.sigstore.dev)
|
|
is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skip tlog
|
|
verification
|
|
type: boolean
|
|
pubkey:
|
|
description: RekorPubKey is an
|
|
optional PEM encoded public
|
|
key to use for a custom Rekor.
|
|
If set, is used to validate
|
|
signatures on log entries from
|
|
Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public log https://rekor.sigstore.dev.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha256 and sha512
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: Repository is an optional
|
|
alternate OCI repository to use for
|
|
signatures and attestations that match
|
|
this rule. If specified Repository will
|
|
override other OCI image repository
|
|
locations for this Attestor.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: 'ImageReferences is a list of matching
|
|
image reference patterns. At least one pattern in
|
|
the list must match the image for the rule to apply.
|
|
Each image reference consists of a registry address
|
|
(defaults to docker.io), repository, image, and
|
|
tag (defaults to latest). Wildcards (''*'' and ''?'')
|
|
are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry
|
|
type: boolean
|
|
providers:
|
|
description: 'Providers specifies a list of OCI
|
|
Registry names, whose authentication providers
|
|
are provided It can be of one of these values:
|
|
AWS, ACR, GCP, GHCR'
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: Secrets specifies a list of secrets
|
|
that are provided for credentials Secrets must
|
|
live in the Kyverno namespace
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: MutateDigest enables replacement of image
|
|
tags with digests. Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: Repository is an optional alternate OCI
|
|
repository to use for image signatures and attestations
|
|
that match this rule. If specified Repository will
|
|
override the default OCI image repository configured
|
|
for the installation. The repository can also be
|
|
overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: Type specifies the method of signature
|
|
validation. The allowed options are Cosign and Notary.
|
|
By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have
|
|
a digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
conditions:
|
|
items:
|
|
description: "Condition contains details for one aspect of the current
|
|
state of this API Resource. --- This struct is intended for direct
|
|
use as an array at the field path .status.conditions. For example,
|
|
\n type FooStatus struct{ // Represents the observations of a
|
|
foo's current state. // Known .status.conditions.type are: \"Available\",
|
|
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
|
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
|
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
|
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Deprecated in favor of Conditions
|
|
type: boolean
|
|
rulecount:
|
|
description: RuleCountStatus contains four variables which describes
|
|
counts for validate, generate, mutate and verify images rules
|
|
properties:
|
|
generate:
|
|
description: Count for generate rules in policy
|
|
type: integer
|
|
mutate:
|
|
description: Count for mutate rules in policy
|
|
type: integer
|
|
validate:
|
|
description: Count for validate rules in policy
|
|
type: integer
|
|
verifyimages:
|
|
description: Count for verify image rules in policy
|
|
type: integer
|
|
required:
|
|
- generate
|
|
- mutate
|
|
- validate
|
|
- verifyimages
|
|
type: object
|
|
validatingadmissionpolicy:
|
|
description: ValidatingAdmissionPolicy contains status information
|
|
properties:
|
|
generated:
|
|
description: Generated indicates whether a validating admission
|
|
policy is generated from the policy or not
|
|
type: boolean
|
|
message:
|
|
description: Message is a human readable message indicating details
|
|
about the generation of validating admission policy It is an
|
|
empty string when validating admission policy is successfully
|
|
generated.
|
|
type: string
|
|
required:
|
|
- generated
|
|
- message
|
|
type: object
|
|
required:
|
|
- ready
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|