mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
903ece34bf
* feat: add support for signature algorithm in cosign cert and kms verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add signature algo at attestor level Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
50098 lines
3.1 MiB
50098 lines
3.1 MiB
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: kyverno
|
|
labels:
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: kyverno-admission-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: kyverno-background-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: kyverno-cleanup-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: kyverno-reports-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: kyverno
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: config
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
annotations:
|
|
helm.sh/resource-policy: "keep"
|
|
data:
|
|
enableDefaultRegistryMutation: "true"
|
|
defaultRegistry: "docker.io"
|
|
generateSuccessEvents: "false"
|
|
excludeGroups: "system:nodes"
|
|
resourceFilters: >-
|
|
[*/*,kyverno,*]
|
|
[Event,*,*]
|
|
[*/*,kube-system,*]
|
|
[*/*,kube-public,*]
|
|
[*/*,kube-node-lease,*]
|
|
[Node,*,*]
|
|
[Node/*,*,*]
|
|
[APIService,*,*]
|
|
[APIService/*,*,*]
|
|
[TokenReview,*,*]
|
|
[SubjectAccessReview,*,*]
|
|
[SelfSubjectAccessReview,*,*]
|
|
[Binding,*,*]
|
|
[Pod/binding,*,*]
|
|
[ReplicaSet,*,*]
|
|
[ReplicaSet/*,*,*]
|
|
[ClusterRole,*,kyverno:admission-controller]
|
|
[ClusterRole,*,kyverno:admission-controller:core]
|
|
[ClusterRole,*,kyverno:admission-controller:additional]
|
|
[ClusterRole,*,kyverno:background-controller]
|
|
[ClusterRole,*,kyverno:background-controller:core]
|
|
[ClusterRole,*,kyverno:background-controller:additional]
|
|
[ClusterRole,*,kyverno:cleanup-controller]
|
|
[ClusterRole,*,kyverno:cleanup-controller:core]
|
|
[ClusterRole,*,kyverno:cleanup-controller:additional]
|
|
[ClusterRole,*,kyverno:reports-controller]
|
|
[ClusterRole,*,kyverno:reports-controller:core]
|
|
[ClusterRole,*,kyverno:reports-controller:additional]
|
|
[ClusterRoleBinding,*,kyverno:admission-controller]
|
|
[ClusterRoleBinding,*,kyverno:background-controller]
|
|
[ClusterRoleBinding,*,kyverno:cleanup-controller]
|
|
[ClusterRoleBinding,*,kyverno:reports-controller]
|
|
[ServiceAccount,kyverno,kyverno-admission-controller]
|
|
[ServiceAccount/*,kyverno,kyverno-admission-controller]
|
|
[ServiceAccount,kyverno,kyverno-background-controller]
|
|
[ServiceAccount/*,kyverno,kyverno-background-controller]
|
|
[ServiceAccount,kyverno,kyverno-cleanup-controller]
|
|
[ServiceAccount/*,kyverno,kyverno-cleanup-controller]
|
|
[ServiceAccount,kyverno,kyverno-reports-controller]
|
|
[ServiceAccount/*,kyverno,kyverno-reports-controller]
|
|
[Role,kyverno,kyverno:admission-controller]
|
|
[Role,kyverno,kyverno:background-controller]
|
|
[Role,kyverno,kyverno:cleanup-controller]
|
|
[Role,kyverno,kyverno:reports-controller]
|
|
[RoleBinding,kyverno,kyverno:admission-controller]
|
|
[RoleBinding,kyverno,kyverno:background-controller]
|
|
[RoleBinding,kyverno,kyverno:cleanup-controller]
|
|
[RoleBinding,kyverno,kyverno:reports-controller]
|
|
[ConfigMap,kyverno,kyverno]
|
|
[ConfigMap,kyverno,kyverno-metrics]
|
|
[Deployment,kyverno,kyverno-admission-controller]
|
|
[Deployment/*,kyverno,kyverno-admission-controller]
|
|
[Deployment,kyverno,kyverno-background-controller]
|
|
[Deployment/*,kyverno,kyverno-background-controller]
|
|
[Deployment,kyverno,kyverno-cleanup-controller]
|
|
[Deployment/*,kyverno,kyverno-cleanup-controller]
|
|
[Deployment,kyverno,kyverno-reports-controller]
|
|
[Deployment/*,kyverno,kyverno-reports-controller]
|
|
[Pod,kyverno,kyverno-admission-controller-*]
|
|
[Pod/*,kyverno,kyverno-admission-controller-*]
|
|
[Pod,kyverno,kyverno-background-controller-*]
|
|
[Pod/*,kyverno,kyverno-background-controller-*]
|
|
[Pod,kyverno,kyverno-cleanup-controller-*]
|
|
[Pod/*,kyverno,kyverno-cleanup-controller-*]
|
|
[Pod,kyverno,kyverno-reports-controller-*]
|
|
[Pod/*,kyverno,kyverno-reports-controller-*]
|
|
[Job,kyverno,kyverno-hook-pre-delete]
|
|
[Job/*,kyverno,kyverno-hook-pre-delete]
|
|
[NetworkPolicy,kyverno,kyverno-admission-controller]
|
|
[NetworkPolicy/*,kyverno,kyverno-admission-controller]
|
|
[NetworkPolicy,kyverno,kyverno-background-controller]
|
|
[NetworkPolicy/*,kyverno,kyverno-background-controller]
|
|
[NetworkPolicy,kyverno,kyverno-cleanup-controller]
|
|
[NetworkPolicy/*,kyverno,kyverno-cleanup-controller]
|
|
[NetworkPolicy,kyverno,kyverno-reports-controller]
|
|
[NetworkPolicy/*,kyverno,kyverno-reports-controller]
|
|
[PodDisruptionBudget,kyverno,kyverno-admission-controller]
|
|
[PodDisruptionBudget/*,kyverno,kyverno-admission-controller]
|
|
[PodDisruptionBudget,kyverno,kyverno-background-controller]
|
|
[PodDisruptionBudget/*,kyverno,kyverno-background-controller]
|
|
[PodDisruptionBudget,kyverno,kyverno-cleanup-controller]
|
|
[PodDisruptionBudget/*,kyverno,kyverno-cleanup-controller]
|
|
[PodDisruptionBudget,kyverno,kyverno-reports-controller]
|
|
[PodDisruptionBudget/*,kyverno,kyverno-reports-controller]
|
|
[Service,kyverno,kyverno-svc]
|
|
[Service/*,kyverno,kyverno-svc]
|
|
[Service,kyverno,kyverno-svc-metrics]
|
|
[Service/*,kyverno,kyverno-svc-metrics]
|
|
[Service,kyverno,kyverno-background-controller-metrics]
|
|
[Service/*,kyverno,kyverno-background-controller-metrics]
|
|
[Service,kyverno,kyverno-cleanup-controller]
|
|
[Service/*,kyverno,kyverno-cleanup-controller]
|
|
[Service,kyverno,kyverno-cleanup-controller-metrics]
|
|
[Service/*,kyverno,kyverno-cleanup-controller-metrics]
|
|
[Service,kyverno,kyverno-reports-controller-metrics]
|
|
[Service/*,kyverno,kyverno-reports-controller-metrics]
|
|
[ServiceMonitor,kyverno,kyverno-admission-controller]
|
|
[ServiceMonitor,kyverno,kyverno-background-controller]
|
|
[ServiceMonitor,kyverno,kyverno-cleanup-controller]
|
|
[ServiceMonitor,kyverno,kyverno-reports-controller]
|
|
[Secret,kyverno,kyverno-svc.kyverno.svc.*]
|
|
[Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
|
|
updateRequestThreshold: "1000"
|
|
webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]"
|
|
webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: kyverno-metrics
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: config
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
data:
|
|
namespaces: "{\"exclude\":[],\"include\":[]}"
|
|
metricsExposure: "{\"kyverno_admission_requests_total\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_admission_review_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\"]},\"kyverno_cleanup_controller_deletedobjects_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_execution_duration_seconds\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"resource_request_operation\"]},\"kyverno_policy_results_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]},\"kyverno_policy_rule_info_total\":{\"disabledLabelDimensions\":[\"resource_namespace\",\"policy_namespace\"]}}"
|
|
bucketBoundaries: "0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30"
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: cleanuppolicies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: CleanupPolicy
|
|
listKind: CleanupPolicyList
|
|
plural: cleanuppolicies
|
|
shortNames:
|
|
- cleanpol
|
|
singular: cleanuppolicy
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.schedule
|
|
name: Schedule
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: CleanupPolicy defines a rule for resource cleanup.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
conditions:
|
|
description: Conditions defines the conditions used to select the
|
|
resources which will be cleaned up.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources that can be
|
|
used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for the data
|
|
value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET or POST).
|
|
Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference to a
|
|
cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure access
|
|
to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when cleanuppolicy should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
schedule:
|
|
description: The schedule in Cron format
|
|
type: string
|
|
required:
|
|
- schedule
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
lastExecutionTime:
|
|
format: date-time
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.schedule
|
|
name: Schedule
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
deprecated: true
|
|
name: v2beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: CleanupPolicy defines a rule for resource cleanup.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
conditions:
|
|
description: Conditions defines the conditions used to select the
|
|
resources which will be cleaned up.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources that can be
|
|
used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for the data
|
|
value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET or POST).
|
|
Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference to a
|
|
cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure access
|
|
to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when cleanuppolicy should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
schedule:
|
|
description: The schedule in Cron format
|
|
type: string
|
|
required:
|
|
- schedule
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
lastExecutionTime:
|
|
format: date-time
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: clustercleanuppolicies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: ClusterCleanupPolicy
|
|
listKind: ClusterCleanupPolicyList
|
|
plural: clustercleanuppolicies
|
|
shortNames:
|
|
- ccleanpol
|
|
singular: clustercleanuppolicy
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.schedule
|
|
name: Schedule
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterCleanupPolicy defines rule for resource cleanup.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
conditions:
|
|
description: Conditions defines the conditions used to select the
|
|
resources which will be cleaned up.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources that can be
|
|
used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for the data
|
|
value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET or POST).
|
|
Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference to a
|
|
cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure access
|
|
to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when cleanuppolicy should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
schedule:
|
|
description: The schedule in Cron format
|
|
type: string
|
|
required:
|
|
- schedule
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
lastExecutionTime:
|
|
format: date-time
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.schedule
|
|
name: Schedule
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
deprecated: true
|
|
name: v2beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterCleanupPolicy defines rule for resource cleanup.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
conditions:
|
|
description: Conditions defines the conditions used to select the
|
|
resources which will be cleaned up.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources that can be
|
|
used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for the data
|
|
value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET or POST).
|
|
Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference to a
|
|
cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure access
|
|
to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when cleanuppolicy should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
schedule:
|
|
description: The schedule in Cron format
|
|
type: string
|
|
required:
|
|
- schedule
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
lastExecutionTime:
|
|
format: date-time
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: clusterpolicies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: ClusterPolicy
|
|
listKind: ClusterPolicyList
|
|
plural: clusterpolicies
|
|
shortNames:
|
|
- cpol
|
|
singular: clusterpolicy
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.admission
|
|
name: ADMISSION
|
|
type: boolean
|
|
- jsonPath: .spec.background
|
|
name: BACKGROUND
|
|
type: boolean
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].status
|
|
name: READY
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .spec.failurePolicy
|
|
name: FAILURE POLICY
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.rulecount.validate
|
|
name: VALIDATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.mutate
|
|
name: MUTATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.generate
|
|
name: GENERATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.verifyimages
|
|
name: VERIFY IMAGES
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].message
|
|
name: MESSAGE
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterPolicy declares validation, mutation, and generation behaviors
|
|
for matching resources.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
admission:
|
|
default: true
|
|
description: |-
|
|
Admission controls if rules are applied during admission.
|
|
Optional. Default value is "true".
|
|
type: boolean
|
|
applyRules:
|
|
description: |-
|
|
ApplyRules controls how rules in a policy are applied. Rule are processed in
|
|
the order of declaration. When set to `One` processing stops after a rule has
|
|
been applied i.e. the rule matches and results in a pass, fail, or error. When
|
|
set to `All` all rules in the policy are processed. The default is `All`.
|
|
enum:
|
|
- All
|
|
- One
|
|
type: string
|
|
background:
|
|
default: true
|
|
description: |-
|
|
Background controls if rules are applied to existing resources during a background scan.
|
|
Optional. Default value is "true". The value must be set to "false" if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: Deprecated, use failurePolicy under the webhookConfiguration
|
|
instead.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExisting:
|
|
description: Deprecated, use generateExisting under the generate rule
|
|
instead
|
|
type: boolean
|
|
generateExistingOnPolicyUpdate:
|
|
description: Deprecated, use generateExisting instead
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: Deprecated, use mutateExistingOnPolicyUpdate under the
|
|
mutate rule instead
|
|
type: boolean
|
|
rules:
|
|
description: |-
|
|
Rules is a list of Rule instances. A Policy contains multiple rules and
|
|
each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
be fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for
|
|
the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source resource
|
|
used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules to
|
|
a list of sub-elements by creating a context for each
|
|
entry in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if the
|
|
mutateExisting rule will be applied on policy events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for mutating
|
|
existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
reportProperties:
|
|
additionalProperties:
|
|
type: string
|
|
description: ReportProperties are the additional properties
|
|
from the rule that will be added to the policy report result
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the Common
|
|
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for the
|
|
audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to produce
|
|
an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents of the
|
|
API request/response, organized into CEL variables
|
|
as well as some other useful variables:\n\n-
|
|
'object' - The object from the incoming request.
|
|
The value is null for DELETE requests.\n- 'oldObject'
|
|
- The existing object. The value is null for
|
|
CREATE requests.\n- 'request' - Attributes of
|
|
the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to by
|
|
the policy binding being evaluated. Only populated
|
|
if the policy has a ParamKind.\n- 'namespaceObject'
|
|
- The namespace object that the incoming object
|
|
belongs to. The value is null for cluster-scoped
|
|
resources.\n- 'variables' - Map of composited
|
|
variables, from its name to its lazily evaluated
|
|
value.\n For example, a variable named 'foo'
|
|
can be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform authorization
|
|
checks for the principal (user or service account)
|
|
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names are
|
|
escaped according to the following rules when
|
|
accessed in the expression:\n- '__' escapes
|
|
to '__underscores__'\n- '.' escapes to '__dot__'\n-
|
|
'-' escapes to '__dash__'\n- '/' escapes to
|
|
'__slash__'\n- Property names that exactly match
|
|
a CEL RESERVED keyword escape to '__{keyword}__'.
|
|
The keywords are:\n\t \"true\", \"false\",
|
|
\"null\", \"in\", \"as\", \"break\", \"const\",
|
|
\"continue\", \"else\", \"for\", \"function\",
|
|
\"if\",\n\t \"import\", \"let\", \"loop\",
|
|
\"package\", \"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named \"namespace\":
|
|
{\"Expression\": \"object.__namespace__ > 0\"}\n
|
|
\ - Expression accessing a property named \"x-prop\":
|
|
{\"Expression\": \"object.x__dash__prop > 0\"}\n
|
|
\ - Expression accessing a property named \"redact__d\":
|
|
{\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order, i.e.
|
|
[1, 2] == [2, 1].\nConcatenation on arrays with
|
|
x-kubernetes-list-type use the semantics of
|
|
the list type:\n - 'set': `X + Y` performs
|
|
a union where the array positions of all elements
|
|
in `X` are preserved and\n non-intersecting
|
|
elements in `Y` are appended, retaining their
|
|
partial order.\n - 'map': `X + Y` performs
|
|
a merge where the array positions of all keys
|
|
in `X` are preserved but the values\n are
|
|
overwritten by values in `Y` when the key sets
|
|
of `X` and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended, retaining
|
|
their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind and
|
|
Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is defined
|
|
as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy
|
|
validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context for
|
|
each entry in the list and looping over it to apply
|
|
the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of annotation
|
|
for message and signature. Default is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of
|
|
Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used
|
|
for keyless signing, for example the
|
|
email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while comparing
|
|
manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod
|
|
Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required attestors
|
|
(i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type', to
|
|
be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of Attestor
|
|
used to specify a more complex set of match
|
|
authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used for
|
|
keyless signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret. The
|
|
provided secret must contain a key
|
|
named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm for
|
|
public keys. Supported values are sha224,
|
|
sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
cosignOCI11:
|
|
description: |-
|
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
|
Defaults to false.
|
|
type: boolean
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry.
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule.
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: Deprecated.
|
|
type: boolean
|
|
useServerSideApply:
|
|
description: |-
|
|
UseServerSideApply controls whether to use server-side apply for generate rules
|
|
If is set to "true" create & update for generate rules will use apply instead of create/update.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
validationFailureAction:
|
|
default: Audit
|
|
description: Deprecated, use validationFailureAction under the validate
|
|
rule instead.
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: Deprecated, use validationFailureActionOverrides under
|
|
the validate rule instead.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookConfiguration:
|
|
description: WebhookConfiguration specifies the custom configuration
|
|
for Kubernetes admission webhookconfiguration.
|
|
properties:
|
|
failurePolicy:
|
|
description: |-
|
|
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
|
|
Rules within the same policy share the same failure behavior.
|
|
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
matchConditions:
|
|
description: |-
|
|
MatchCondition configures admission webhook matchConditions.
|
|
Requires Kubernetes 1.27 or later.
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
timeoutSeconds:
|
|
description: |-
|
|
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
|
|
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
|
|
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
webhookTimeoutSeconds:
|
|
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
|
|
instead.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
autogen:
|
|
description: AutogenStatus contains autogen status information.
|
|
properties:
|
|
rules:
|
|
description: Rules is a list of Rule instances. It contains auto
|
|
generated rules added for pod controllers
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which
|
|
must be fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object
|
|
representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if
|
|
the mutateExisting rule will be applied on policy
|
|
events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to
|
|
be mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for
|
|
mutating existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must
|
|
be unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
reportProperties:
|
|
additionalProperties:
|
|
type: string
|
|
description: ReportProperties are the additional properties
|
|
from the rule that will be added to the policy report
|
|
result
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion
|
|
tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the
|
|
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for
|
|
the audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to
|
|
produce an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful
|
|
variables:\n\n- 'object' - The object from
|
|
the incoming request. The value is null
|
|
for DELETE requests.\n- 'oldObject' - The
|
|
existing object. The value is null for CREATE
|
|
requests.\n- 'request' - Attributes of the
|
|
API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to
|
|
by the policy binding being evaluated. Only
|
|
populated if the policy has a ParamKind.\n-
|
|
'namespaceObject' - The namespace object
|
|
that the incoming object belongs to. The
|
|
value is null for cluster-scoped resources.\n-
|
|
'variables' - Map of composited variables,
|
|
from its name to its lazily evaluated value.\n
|
|
\ For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user
|
|
or service account) of the request.\n See
|
|
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names
|
|
are escaped according to the following rules
|
|
when accessed in the expression:\n- '__'
|
|
escapes to '__underscores__'\n- '.' escapes
|
|
to '__dot__'\n- '-' escapes to '__dash__'\n-
|
|
'/' escapes to '__slash__'\n- Property names
|
|
that exactly match a CEL RESERVED keyword
|
|
escape to '__{keyword}__'. The keywords
|
|
are:\n\t \"true\", \"false\", \"null\",
|
|
\"in\", \"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\",\n\t
|
|
\ \"import\", \"let\", \"loop\", \"package\",
|
|
\"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named
|
|
\"namespace\": {\"Expression\": \"object.__namespace__
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order,
|
|
i.e. [1, 2] == [2, 1].\nConcatenation on
|
|
arrays with x-kubernetes-list-type use the
|
|
semantics of the list type:\n - 'set':
|
|
`X + Y` performs a union where the array
|
|
positions of all elements in `X` are preserved
|
|
and\n non-intersecting elements in `Y`
|
|
are appended, retaining their partial order.\n
|
|
\ - 'map': `X + Y` performs a merge where
|
|
the array positions of all keys in `X` are
|
|
preserved but the values\n are overwritten
|
|
by values in `Y` when the key sets of `X`
|
|
and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended,
|
|
retaining their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind
|
|
and Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is
|
|
defined as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or
|
|
fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the
|
|
policy validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style
|
|
pattern used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of
|
|
annotation for message and signature. Default
|
|
is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while
|
|
comparing manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be
|
|
displayed on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security
|
|
Standard controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the
|
|
Pod Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required
|
|
attestors (i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested
|
|
set of Attestor used to specify
|
|
a more complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an
|
|
optional PEM encoded set of
|
|
certificates used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions
|
|
used for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is
|
|
the regular expression to
|
|
match certificate issuer used
|
|
for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the
|
|
verified identity used for
|
|
keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is
|
|
the regular expression to
|
|
match identity used for keyless
|
|
signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one
|
|
or more public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a
|
|
Secret resource that contains
|
|
a public key
|
|
properties:
|
|
name:
|
|
description: Name of the
|
|
secret. The provided secret
|
|
must contain a key named
|
|
cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use
|
|
attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and
|
|
sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type',
|
|
to be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
cosignOCI11:
|
|
description: |-
|
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
|
Defaults to false.
|
|
type: boolean
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry.
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule.
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have
|
|
a digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Deprecated in favor of Conditions
|
|
type: boolean
|
|
rulecount:
|
|
description: |-
|
|
RuleCountStatus contains four variables which describes counts for
|
|
validate, generate, mutate and verify images rules
|
|
properties:
|
|
generate:
|
|
description: Count for generate rules in policy
|
|
type: integer
|
|
mutate:
|
|
description: Count for mutate rules in policy
|
|
type: integer
|
|
validate:
|
|
description: Count for validate rules in policy
|
|
type: integer
|
|
verifyimages:
|
|
description: Count for verify image rules in policy
|
|
type: integer
|
|
required:
|
|
- generate
|
|
- mutate
|
|
- validate
|
|
- verifyimages
|
|
type: object
|
|
validatingadmissionpolicy:
|
|
description: ValidatingAdmissionPolicy contains status information
|
|
properties:
|
|
generated:
|
|
description: Generated indicates whether a validating admission
|
|
policy is generated from the policy or not
|
|
type: boolean
|
|
message:
|
|
description: |-
|
|
Message is a human readable message indicating details about the generation of validating admission policy
|
|
It is an empty string when validating admission policy is successfully generated.
|
|
type: string
|
|
required:
|
|
- generated
|
|
- message
|
|
type: object
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.admission
|
|
name: ADMISSION
|
|
type: boolean
|
|
- jsonPath: .spec.background
|
|
name: BACKGROUND
|
|
type: boolean
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].status
|
|
name: READY
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .spec.failurePolicy
|
|
name: FAILURE POLICY
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.rulecount.validate
|
|
name: VALIDATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.mutate
|
|
name: MUTATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.generate
|
|
name: GENERATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.verifyimages
|
|
name: VERIFY IMAGES
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].message
|
|
name: MESSAGE
|
|
type: string
|
|
name: v2beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterPolicy declares validation, mutation, and generation behaviors
|
|
for matching resources.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy behaviors.
|
|
properties:
|
|
admission:
|
|
default: true
|
|
description: |-
|
|
Admission controls if rules are applied during admission.
|
|
Optional. Default value is "true".
|
|
type: boolean
|
|
applyRules:
|
|
description: |-
|
|
ApplyRules controls how rules in a policy are applied. Rule are processed in
|
|
the order of declaration. When set to `One` processing stops after a rule has
|
|
been applied i.e. the rule matches and results in a pass, fail, or error. When
|
|
set to `All` all rules in the policy are processed. The default is `All`.
|
|
enum:
|
|
- All
|
|
- One
|
|
type: string
|
|
background:
|
|
default: true
|
|
description: |-
|
|
Background controls if rules are applied to existing resources during a background scan.
|
|
Optional. Default value is "true". The value must be set to "false" if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: Deprecated, use failurePolicy under the webhookConfiguration
|
|
instead.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExisting:
|
|
description: Deprecated, use generateExisting under the generate rule
|
|
instead
|
|
type: boolean
|
|
generateExistingOnPolicyUpdate:
|
|
description: Deprecated, use generateExisting instead
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: Deprecated, use mutateExistingOnPolicyUpdate under the
|
|
mutate rule instead
|
|
type: boolean
|
|
rules:
|
|
description: |-
|
|
Rules is a list of Rule instances. A Policy contains multiple rules and
|
|
each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for
|
|
the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source resource
|
|
used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules to
|
|
a list of sub-elements by creating a context for each
|
|
entry in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if the
|
|
mutateExisting rule will be applied on policy events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for mutating
|
|
existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the Common
|
|
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for the
|
|
audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to produce
|
|
an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents of the
|
|
API request/response, organized into CEL variables
|
|
as well as some other useful variables:\n\n-
|
|
'object' - The object from the incoming request.
|
|
The value is null for DELETE requests.\n- 'oldObject'
|
|
- The existing object. The value is null for
|
|
CREATE requests.\n- 'request' - Attributes of
|
|
the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to by
|
|
the policy binding being evaluated. Only populated
|
|
if the policy has a ParamKind.\n- 'namespaceObject'
|
|
- The namespace object that the incoming object
|
|
belongs to. The value is null for cluster-scoped
|
|
resources.\n- 'variables' - Map of composited
|
|
variables, from its name to its lazily evaluated
|
|
value.\n For example, a variable named 'foo'
|
|
can be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform authorization
|
|
checks for the principal (user or service account)
|
|
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names are
|
|
escaped according to the following rules when
|
|
accessed in the expression:\n- '__' escapes
|
|
to '__underscores__'\n- '.' escapes to '__dot__'\n-
|
|
'-' escapes to '__dash__'\n- '/' escapes to
|
|
'__slash__'\n- Property names that exactly match
|
|
a CEL RESERVED keyword escape to '__{keyword}__'.
|
|
The keywords are:\n\t \"true\", \"false\",
|
|
\"null\", \"in\", \"as\", \"break\", \"const\",
|
|
\"continue\", \"else\", \"for\", \"function\",
|
|
\"if\",\n\t \"import\", \"let\", \"loop\",
|
|
\"package\", \"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named \"namespace\":
|
|
{\"Expression\": \"object.__namespace__ > 0\"}\n
|
|
\ - Expression accessing a property named \"x-prop\":
|
|
{\"Expression\": \"object.x__dash__prop > 0\"}\n
|
|
\ - Expression accessing a property named \"redact__d\":
|
|
{\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order, i.e.
|
|
[1, 2] == [2, 1].\nConcatenation on arrays with
|
|
x-kubernetes-list-type use the semantics of
|
|
the list type:\n - 'set': `X + Y` performs
|
|
a union where the array positions of all elements
|
|
in `X` are preserved and\n non-intersecting
|
|
elements in `Y` are appended, retaining their
|
|
partial order.\n - 'map': `X + Y` performs
|
|
a merge where the array positions of all keys
|
|
in `X` are preserved but the values\n are
|
|
overwritten by values in `Y` when the key sets
|
|
of `X` and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended, retaining
|
|
their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind and
|
|
Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is defined
|
|
as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy
|
|
validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context for
|
|
each entry in the list and looping over it to apply
|
|
the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of annotation
|
|
for message and signature. Default is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of
|
|
Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used
|
|
for keyless signing, for example the
|
|
email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while comparing
|
|
manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod
|
|
Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required attestors
|
|
(i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type', to
|
|
be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of Attestor
|
|
used to specify a more complex set of match
|
|
authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used for
|
|
keyless signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret. The
|
|
provided secret must contain a key
|
|
named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm for
|
|
public keys. Supported values are sha224,
|
|
sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: Deprecated.
|
|
type: boolean
|
|
useServerSideApply:
|
|
description: |-
|
|
UseServerSideApply controls whether to use server-side apply for generate rules
|
|
If is set to "true" create & update for generate rules will use apply instead of create/update.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
validationFailureAction:
|
|
default: Audit
|
|
description: Deprecated, use validationFailureAction under the validate
|
|
rule instead.
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: Deprecated, use validationFailureActionOverrides under
|
|
the validate rule instead.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookConfiguration:
|
|
description: WebhookConfiguration specifies the custom configuration
|
|
for Kubernetes admission webhookconfiguration.
|
|
properties:
|
|
failurePolicy:
|
|
description: |-
|
|
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
|
|
Rules within the same policy share the same failure behavior.
|
|
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
matchConditions:
|
|
description: |-
|
|
MatchCondition configures admission webhook matchConditions.
|
|
Requires Kubernetes 1.27 or later.
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
timeoutSeconds:
|
|
description: |-
|
|
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
|
|
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
|
|
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
webhookTimeoutSeconds:
|
|
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
|
|
instead.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
autogen:
|
|
description: AutogenStatus contains autogen status information.
|
|
properties:
|
|
rules:
|
|
description: Rules is a list of Rule instances. It contains auto
|
|
generated rules added for pod controllers
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which
|
|
must be fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object
|
|
representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if
|
|
the mutateExisting rule will be applied on policy
|
|
events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to
|
|
be mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for
|
|
mutating existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must
|
|
be unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
reportProperties:
|
|
additionalProperties:
|
|
type: string
|
|
description: ReportProperties are the additional properties
|
|
from the rule that will be added to the policy report
|
|
result
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion
|
|
tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the
|
|
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for
|
|
the audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to
|
|
produce an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful
|
|
variables:\n\n- 'object' - The object from
|
|
the incoming request. The value is null
|
|
for DELETE requests.\n- 'oldObject' - The
|
|
existing object. The value is null for CREATE
|
|
requests.\n- 'request' - Attributes of the
|
|
API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to
|
|
by the policy binding being evaluated. Only
|
|
populated if the policy has a ParamKind.\n-
|
|
'namespaceObject' - The namespace object
|
|
that the incoming object belongs to. The
|
|
value is null for cluster-scoped resources.\n-
|
|
'variables' - Map of composited variables,
|
|
from its name to its lazily evaluated value.\n
|
|
\ For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user
|
|
or service account) of the request.\n See
|
|
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names
|
|
are escaped according to the following rules
|
|
when accessed in the expression:\n- '__'
|
|
escapes to '__underscores__'\n- '.' escapes
|
|
to '__dot__'\n- '-' escapes to '__dash__'\n-
|
|
'/' escapes to '__slash__'\n- Property names
|
|
that exactly match a CEL RESERVED keyword
|
|
escape to '__{keyword}__'. The keywords
|
|
are:\n\t \"true\", \"false\", \"null\",
|
|
\"in\", \"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\",\n\t
|
|
\ \"import\", \"let\", \"loop\", \"package\",
|
|
\"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named
|
|
\"namespace\": {\"Expression\": \"object.__namespace__
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order,
|
|
i.e. [1, 2] == [2, 1].\nConcatenation on
|
|
arrays with x-kubernetes-list-type use the
|
|
semantics of the list type:\n - 'set':
|
|
`X + Y` performs a union where the array
|
|
positions of all elements in `X` are preserved
|
|
and\n non-intersecting elements in `Y`
|
|
are appended, retaining their partial order.\n
|
|
\ - 'map': `X + Y` performs a merge where
|
|
the array positions of all keys in `X` are
|
|
preserved but the values\n are overwritten
|
|
by values in `Y` when the key sets of `X`
|
|
and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended,
|
|
retaining their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind
|
|
and Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is
|
|
defined as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or
|
|
fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the
|
|
policy validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style
|
|
pattern used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of
|
|
annotation for message and signature. Default
|
|
is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while
|
|
comparing manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be
|
|
displayed on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security
|
|
Standard controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the
|
|
Pod Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required
|
|
attestors (i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested
|
|
set of Attestor used to specify
|
|
a more complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an
|
|
optional PEM encoded set of
|
|
certificates used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions
|
|
used for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is
|
|
the regular expression to
|
|
match certificate issuer used
|
|
for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the
|
|
verified identity used for
|
|
keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is
|
|
the regular expression to
|
|
match identity used for keyless
|
|
signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one
|
|
or more public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a
|
|
Secret resource that contains
|
|
a public key
|
|
properties:
|
|
name:
|
|
description: Name of the
|
|
secret. The provided secret
|
|
must contain a key named
|
|
cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use
|
|
attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and
|
|
sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type',
|
|
to be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
cosignOCI11:
|
|
description: |-
|
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
|
Defaults to false.
|
|
type: boolean
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry.
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule.
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have
|
|
a digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Deprecated in favor of Conditions
|
|
type: boolean
|
|
rulecount:
|
|
description: |-
|
|
RuleCountStatus contains four variables which describes counts for
|
|
validate, generate, mutate and verify images rules
|
|
properties:
|
|
generate:
|
|
description: Count for generate rules in policy
|
|
type: integer
|
|
mutate:
|
|
description: Count for mutate rules in policy
|
|
type: integer
|
|
validate:
|
|
description: Count for validate rules in policy
|
|
type: integer
|
|
verifyimages:
|
|
description: Count for verify image rules in policy
|
|
type: integer
|
|
required:
|
|
- generate
|
|
- mutate
|
|
- validate
|
|
- verifyimages
|
|
type: object
|
|
validatingadmissionpolicy:
|
|
description: ValidatingAdmissionPolicy contains status information
|
|
properties:
|
|
generated:
|
|
description: Generated indicates whether a validating admission
|
|
policy is generated from the policy or not
|
|
type: boolean
|
|
message:
|
|
description: |-
|
|
Message is a human readable message indicating details about the generation of validating admission policy
|
|
It is an empty string when validating admission policy is successfully generated.
|
|
type: string
|
|
required:
|
|
- generated
|
|
- message
|
|
type: object
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: globalcontextentries.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: GlobalContextEntry
|
|
listKind: GlobalContextEntryList
|
|
plural: globalcontextentries
|
|
shortNames:
|
|
- gctxentry
|
|
singular: globalcontextentry
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].status
|
|
name: READY
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .spec.apiCall.refreshInterval
|
|
name: REFRESH INTERVAL
|
|
type: string
|
|
- jsonPath: .status.lastRefreshTime
|
|
name: LAST REFRESH
|
|
type: date
|
|
name: v2alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: GlobalContextEntry declares resources to be cached.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy exception behaviors.
|
|
oneOf:
|
|
- required:
|
|
- kubernetesResource
|
|
- required:
|
|
- apiCall
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
Stores results from an API call which will be cached.
|
|
Mutually exclusive with KubernetesResource.
|
|
This can be used to make calls to external (non-Kubernetes API server) services.
|
|
It can also be used to make calls to the Kubernetes API server in such cases:
|
|
1. A POST is needed to create a resource.
|
|
2. Finer-grained control is needed. Example: To restrict the number of resources cached.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET or POST). Defaults
|
|
to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
refreshInterval:
|
|
default: 10m
|
|
description: |-
|
|
RefreshInterval defines the interval in duration at which to poll the APICall.
|
|
The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
|
|
such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
|
|
format: duration
|
|
type: string
|
|
retryLimit:
|
|
default: 3
|
|
description: RetryLimit defines the number of times the APICall
|
|
should be retried in case of failure.
|
|
minimum: 1
|
|
type: integer
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
kubernetesResource:
|
|
description: |-
|
|
Stores a list of Kubernetes resources which will be cached.
|
|
Mutually exclusive with APICall.
|
|
properties:
|
|
group:
|
|
description: Group defines the group of the resource.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
|
|
If left empty for namespaced resources, all resources from all namespaces will be cached.
|
|
type: string
|
|
resource:
|
|
description: |-
|
|
Resource defines the type of the resource.
|
|
Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
|
|
type: string
|
|
version:
|
|
description: Version defines the version of the resource.
|
|
type: string
|
|
required:
|
|
- resource
|
|
- version
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: Status contains globalcontextentry runtime data.
|
|
properties:
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
lastRefreshTime:
|
|
description: Indicates the time when the globalcontextentry was last
|
|
refreshed successfully for the API Call
|
|
format: date-time
|
|
type: string
|
|
ready:
|
|
description: Deprecated in favor of Conditions
|
|
type: boolean
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: policies.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: Policy
|
|
listKind: PolicyList
|
|
plural: policies
|
|
shortNames:
|
|
- pol
|
|
singular: policy
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.admission
|
|
name: ADMISSION
|
|
type: boolean
|
|
- jsonPath: .spec.background
|
|
name: BACKGROUND
|
|
type: boolean
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].status
|
|
name: READY
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .spec.failurePolicy
|
|
name: FAILURE POLICY
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.rulecount.validate
|
|
name: VALIDATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.mutate
|
|
name: MUTATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.generate
|
|
name: GENERATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.verifyimages
|
|
name: VERIFY IMAGES
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].message
|
|
name: MESSAGE
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
Policy declares validation, mutation, and generation behaviors for matching resources.
|
|
See: https://kyverno.io/docs/writing-policies/ for more information.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec defines policy behaviors and contains one or more rules.
|
|
properties:
|
|
admission:
|
|
default: true
|
|
description: |-
|
|
Admission controls if rules are applied during admission.
|
|
Optional. Default value is "true".
|
|
type: boolean
|
|
applyRules:
|
|
description: |-
|
|
ApplyRules controls how rules in a policy are applied. Rule are processed in
|
|
the order of declaration. When set to `One` processing stops after a rule has
|
|
been applied i.e. the rule matches and results in a pass, fail, or error. When
|
|
set to `All` all rules in the policy are processed. The default is `All`.
|
|
enum:
|
|
- All
|
|
- One
|
|
type: string
|
|
background:
|
|
default: true
|
|
description: |-
|
|
Background controls if rules are applied to existing resources during a background scan.
|
|
Optional. Default value is "true". The value must be set to "false" if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: Deprecated, use failurePolicy under the webhookConfiguration
|
|
instead.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExisting:
|
|
description: Deprecated, use generateExisting under the generate rule
|
|
instead
|
|
type: boolean
|
|
generateExistingOnPolicyUpdate:
|
|
description: Deprecated, use generateExisting instead
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: Deprecated, use mutateExistingOnPolicyUpdate under the
|
|
mutate rule instead
|
|
type: boolean
|
|
rules:
|
|
description: |-
|
|
Rules is a list of Rule instances. A Policy contains multiple rules and
|
|
each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
be fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for
|
|
the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source resource
|
|
used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules to
|
|
a list of sub-elements by creating a context for each
|
|
entry in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if the
|
|
mutateExisting rule will be applied on policy events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for mutating
|
|
existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
reportProperties:
|
|
additionalProperties:
|
|
type: string
|
|
description: ReportProperties are the additional properties
|
|
from the rule that will be added to the policy report result
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the Common
|
|
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for the
|
|
audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to produce
|
|
an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents of the
|
|
API request/response, organized into CEL variables
|
|
as well as some other useful variables:\n\n-
|
|
'object' - The object from the incoming request.
|
|
The value is null for DELETE requests.\n- 'oldObject'
|
|
- The existing object. The value is null for
|
|
CREATE requests.\n- 'request' - Attributes of
|
|
the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to by
|
|
the policy binding being evaluated. Only populated
|
|
if the policy has a ParamKind.\n- 'namespaceObject'
|
|
- The namespace object that the incoming object
|
|
belongs to. The value is null for cluster-scoped
|
|
resources.\n- 'variables' - Map of composited
|
|
variables, from its name to its lazily evaluated
|
|
value.\n For example, a variable named 'foo'
|
|
can be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform authorization
|
|
checks for the principal (user or service account)
|
|
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names are
|
|
escaped according to the following rules when
|
|
accessed in the expression:\n- '__' escapes
|
|
to '__underscores__'\n- '.' escapes to '__dot__'\n-
|
|
'-' escapes to '__dash__'\n- '/' escapes to
|
|
'__slash__'\n- Property names that exactly match
|
|
a CEL RESERVED keyword escape to '__{keyword}__'.
|
|
The keywords are:\n\t \"true\", \"false\",
|
|
\"null\", \"in\", \"as\", \"break\", \"const\",
|
|
\"continue\", \"else\", \"for\", \"function\",
|
|
\"if\",\n\t \"import\", \"let\", \"loop\",
|
|
\"package\", \"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named \"namespace\":
|
|
{\"Expression\": \"object.__namespace__ > 0\"}\n
|
|
\ - Expression accessing a property named \"x-prop\":
|
|
{\"Expression\": \"object.x__dash__prop > 0\"}\n
|
|
\ - Expression accessing a property named \"redact__d\":
|
|
{\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order, i.e.
|
|
[1, 2] == [2, 1].\nConcatenation on arrays with
|
|
x-kubernetes-list-type use the semantics of
|
|
the list type:\n - 'set': `X + Y` performs
|
|
a union where the array positions of all elements
|
|
in `X` are preserved and\n non-intersecting
|
|
elements in `Y` are appended, retaining their
|
|
partial order.\n - 'map': `X + Y` performs
|
|
a merge where the array positions of all keys
|
|
in `X` are preserved but the values\n are
|
|
overwritten by values in `Y` when the key sets
|
|
of `X` and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended, retaining
|
|
their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind and
|
|
Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is defined
|
|
as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy
|
|
validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context for
|
|
each entry in the list and looping over it to apply
|
|
the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of annotation
|
|
for message and signature. Default is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of
|
|
Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used
|
|
for keyless signing, for example the
|
|
email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while comparing
|
|
manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod
|
|
Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required attestors
|
|
(i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type', to
|
|
be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of Attestor
|
|
used to specify a more complex set of match
|
|
authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used for
|
|
keyless signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret. The
|
|
provided secret must contain a key
|
|
named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm for
|
|
public keys. Supported values are sha224,
|
|
sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
cosignOCI11:
|
|
description: |-
|
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
|
Defaults to false.
|
|
type: boolean
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry.
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule.
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: Deprecated.
|
|
type: boolean
|
|
useServerSideApply:
|
|
description: |-
|
|
UseServerSideApply controls whether to use server-side apply for generate rules
|
|
If is set to "true" create & update for generate rules will use apply instead of create/update.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
validationFailureAction:
|
|
default: Audit
|
|
description: Deprecated, use validationFailureAction under the validate
|
|
rule instead.
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: Deprecated, use validationFailureActionOverrides under
|
|
the validate rule instead.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookConfiguration:
|
|
description: WebhookConfiguration specifies the custom configuration
|
|
for Kubernetes admission webhookconfiguration.
|
|
properties:
|
|
failurePolicy:
|
|
description: |-
|
|
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
|
|
Rules within the same policy share the same failure behavior.
|
|
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
matchConditions:
|
|
description: |-
|
|
MatchCondition configures admission webhook matchConditions.
|
|
Requires Kubernetes 1.27 or later.
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
timeoutSeconds:
|
|
description: |-
|
|
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
|
|
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
|
|
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
webhookTimeoutSeconds:
|
|
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
|
|
instead.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Deprecated. Policy metrics are available via the metrics
|
|
endpoint
|
|
properties:
|
|
autogen:
|
|
description: AutogenStatus contains autogen status information.
|
|
properties:
|
|
rules:
|
|
description: Rules is a list of Rule instances. It contains auto
|
|
generated rules added for pod controllers
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which
|
|
must be fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object
|
|
representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if
|
|
the mutateExisting rule will be applied on policy
|
|
events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to
|
|
be mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for
|
|
mutating existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must
|
|
be unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
reportProperties:
|
|
additionalProperties:
|
|
type: string
|
|
description: ReportProperties are the additional properties
|
|
from the rule that will be added to the policy report
|
|
result
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion
|
|
tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the
|
|
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for
|
|
the audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to
|
|
produce an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful
|
|
variables:\n\n- 'object' - The object from
|
|
the incoming request. The value is null
|
|
for DELETE requests.\n- 'oldObject' - The
|
|
existing object. The value is null for CREATE
|
|
requests.\n- 'request' - Attributes of the
|
|
API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to
|
|
by the policy binding being evaluated. Only
|
|
populated if the policy has a ParamKind.\n-
|
|
'namespaceObject' - The namespace object
|
|
that the incoming object belongs to. The
|
|
value is null for cluster-scoped resources.\n-
|
|
'variables' - Map of composited variables,
|
|
from its name to its lazily evaluated value.\n
|
|
\ For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user
|
|
or service account) of the request.\n See
|
|
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names
|
|
are escaped according to the following rules
|
|
when accessed in the expression:\n- '__'
|
|
escapes to '__underscores__'\n- '.' escapes
|
|
to '__dot__'\n- '-' escapes to '__dash__'\n-
|
|
'/' escapes to '__slash__'\n- Property names
|
|
that exactly match a CEL RESERVED keyword
|
|
escape to '__{keyword}__'. The keywords
|
|
are:\n\t \"true\", \"false\", \"null\",
|
|
\"in\", \"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\",\n\t
|
|
\ \"import\", \"let\", \"loop\", \"package\",
|
|
\"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named
|
|
\"namespace\": {\"Expression\": \"object.__namespace__
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order,
|
|
i.e. [1, 2] == [2, 1].\nConcatenation on
|
|
arrays with x-kubernetes-list-type use the
|
|
semantics of the list type:\n - 'set':
|
|
`X + Y` performs a union where the array
|
|
positions of all elements in `X` are preserved
|
|
and\n non-intersecting elements in `Y`
|
|
are appended, retaining their partial order.\n
|
|
\ - 'map': `X + Y` performs a merge where
|
|
the array positions of all keys in `X` are
|
|
preserved but the values\n are overwritten
|
|
by values in `Y` when the key sets of `X`
|
|
and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended,
|
|
retaining their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind
|
|
and Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is
|
|
defined as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or
|
|
fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the
|
|
policy validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style
|
|
pattern used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of
|
|
annotation for message and signature. Default
|
|
is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while
|
|
comparing manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be
|
|
displayed on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security
|
|
Standard controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the
|
|
Pod Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required
|
|
attestors (i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested
|
|
set of Attestor used to specify
|
|
a more complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an
|
|
optional PEM encoded set of
|
|
certificates used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions
|
|
used for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is
|
|
the regular expression to
|
|
match certificate issuer used
|
|
for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the
|
|
verified identity used for
|
|
keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is
|
|
the regular expression to
|
|
match identity used for keyless
|
|
signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one
|
|
or more public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a
|
|
Secret resource that contains
|
|
a public key
|
|
properties:
|
|
name:
|
|
description: Name of the
|
|
secret. The provided secret
|
|
must contain a key named
|
|
cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use
|
|
attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and
|
|
sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type',
|
|
to be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
cosignOCI11:
|
|
description: |-
|
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
|
Defaults to false.
|
|
type: boolean
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry.
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule.
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have
|
|
a digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Deprecated in favor of Conditions
|
|
type: boolean
|
|
rulecount:
|
|
description: |-
|
|
RuleCountStatus contains four variables which describes counts for
|
|
validate, generate, mutate and verify images rules
|
|
properties:
|
|
generate:
|
|
description: Count for generate rules in policy
|
|
type: integer
|
|
mutate:
|
|
description: Count for mutate rules in policy
|
|
type: integer
|
|
validate:
|
|
description: Count for validate rules in policy
|
|
type: integer
|
|
verifyimages:
|
|
description: Count for verify image rules in policy
|
|
type: integer
|
|
required:
|
|
- generate
|
|
- mutate
|
|
- validate
|
|
- verifyimages
|
|
type: object
|
|
validatingadmissionpolicy:
|
|
description: ValidatingAdmissionPolicy contains status information
|
|
properties:
|
|
generated:
|
|
description: Generated indicates whether a validating admission
|
|
policy is generated from the policy or not
|
|
type: boolean
|
|
message:
|
|
description: |-
|
|
Message is a human readable message indicating details about the generation of validating admission policy
|
|
It is an empty string when validating admission policy is successfully generated.
|
|
type: string
|
|
required:
|
|
- generated
|
|
- message
|
|
type: object
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.admission
|
|
name: ADMISSION
|
|
type: boolean
|
|
- jsonPath: .spec.background
|
|
name: BACKGROUND
|
|
type: boolean
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].status
|
|
name: READY
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: AGE
|
|
type: date
|
|
- jsonPath: .spec.failurePolicy
|
|
name: FAILURE POLICY
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .status.rulecount.validate
|
|
name: VALIDATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.mutate
|
|
name: MUTATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.generate
|
|
name: GENERATE
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.rulecount.verifyimages
|
|
name: VERIFY IMAGES
|
|
priority: 1
|
|
type: integer
|
|
- jsonPath: .status.conditions[?(@.type == "Ready")].message
|
|
name: MESSAGE
|
|
type: string
|
|
name: v2beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
Policy declares validation, mutation, and generation behaviors for matching resources.
|
|
See: https://kyverno.io/docs/writing-policies/ for more information.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec defines policy behaviors and contains one or more rules.
|
|
properties:
|
|
admission:
|
|
default: true
|
|
description: |-
|
|
Admission controls if rules are applied during admission.
|
|
Optional. Default value is "true".
|
|
type: boolean
|
|
applyRules:
|
|
description: |-
|
|
ApplyRules controls how rules in a policy are applied. Rule are processed in
|
|
the order of declaration. When set to `One` processing stops after a rule has
|
|
been applied i.e. the rule matches and results in a pass, fail, or error. When
|
|
set to `All` all rules in the policy are processed. The default is `All`.
|
|
enum:
|
|
- All
|
|
- One
|
|
type: string
|
|
background:
|
|
default: true
|
|
description: |-
|
|
Background controls if rules are applied to existing resources during a background scan.
|
|
Optional. Default value is "true". The value must be set to "false" if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).
|
|
type: boolean
|
|
failurePolicy:
|
|
description: Deprecated, use failurePolicy under the webhookConfiguration
|
|
instead.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
generateExisting:
|
|
description: Deprecated, use generateExisting under the generate rule
|
|
instead
|
|
type: boolean
|
|
generateExistingOnPolicyUpdate:
|
|
description: Deprecated, use generateExisting instead
|
|
type: boolean
|
|
mutateExistingOnPolicyUpdate:
|
|
description: Deprecated, use mutateExistingOnPolicyUpdate under the
|
|
mutate rule instead
|
|
type: boolean
|
|
rules:
|
|
description: |-
|
|
Rules is a list of Rule instances. A Policy contains multiple rules and
|
|
each rule can validate, mutate, or generate resources.
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources that
|
|
can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier for
|
|
the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath context
|
|
variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object representable
|
|
in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source resource
|
|
used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR"
|
|
between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one
|
|
of the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules to
|
|
a list of sub-elements by creating a context for each
|
|
entry in the list and looping over it to apply the specified
|
|
logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if the
|
|
mutateExisting rule will be applied on policy events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to be
|
|
mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for mutating
|
|
existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must be
|
|
unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath)
|
|
for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the Common
|
|
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for the
|
|
audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to produce
|
|
an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents of the
|
|
API request/response, organized into CEL variables
|
|
as well as some other useful variables:\n\n-
|
|
'object' - The object from the incoming request.
|
|
The value is null for DELETE requests.\n- 'oldObject'
|
|
- The existing object. The value is null for
|
|
CREATE requests.\n- 'request' - Attributes of
|
|
the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to by
|
|
the policy binding being evaluated. Only populated
|
|
if the policy has a ParamKind.\n- 'namespaceObject'
|
|
- The namespace object that the incoming object
|
|
belongs to. The value is null for cluster-scoped
|
|
resources.\n- 'variables' - Map of composited
|
|
variables, from its name to its lazily evaluated
|
|
value.\n For example, a variable named 'foo'
|
|
can be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform authorization
|
|
checks for the principal (user or service account)
|
|
of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names are
|
|
escaped according to the following rules when
|
|
accessed in the expression:\n- '__' escapes
|
|
to '__underscores__'\n- '.' escapes to '__dot__'\n-
|
|
'-' escapes to '__dash__'\n- '/' escapes to
|
|
'__slash__'\n- Property names that exactly match
|
|
a CEL RESERVED keyword escape to '__{keyword}__'.
|
|
The keywords are:\n\t \"true\", \"false\",
|
|
\"null\", \"in\", \"as\", \"break\", \"const\",
|
|
\"continue\", \"else\", \"for\", \"function\",
|
|
\"if\",\n\t \"import\", \"let\", \"loop\",
|
|
\"package\", \"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named \"namespace\":
|
|
{\"Expression\": \"object.__namespace__ > 0\"}\n
|
|
\ - Expression accessing a property named \"x-prop\":
|
|
{\"Expression\": \"object.x__dash__prop > 0\"}\n
|
|
\ - Expression accessing a property named \"redact__d\":
|
|
{\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order, i.e.
|
|
[1, 2] == [2, 1].\nConcatenation on arrays with
|
|
x-kubernetes-list-type use the semantics of
|
|
the list type:\n - 'set': `X + Y` performs
|
|
a union where the array positions of all elements
|
|
in `X` are preserved and\n non-intersecting
|
|
elements in `Y` are appended, retaining their
|
|
partial order.\n - 'map': `X + Y` performs
|
|
a merge where the array positions of all keys
|
|
in `X` are preserved but the values\n are
|
|
overwritten by values in `Y` when the key sets
|
|
of `X` and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended, retaining
|
|
their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind and
|
|
Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is defined
|
|
as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or fail
|
|
a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy
|
|
validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list of
|
|
sub-elements by creating a context for each entry in the
|
|
list and looping over it to apply the specified logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context for
|
|
each entry in the list and looping over it to apply
|
|
the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the
|
|
HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is
|
|
a reference to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON
|
|
object representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using
|
|
JMESPath) for conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display
|
|
message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of annotation
|
|
for message and signature. Default is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of
|
|
Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used
|
|
for keyless signing, for example the
|
|
email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while comparing
|
|
manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be displayed
|
|
on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod
|
|
Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required attestors
|
|
(i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type', to
|
|
be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set of Attestor
|
|
used to specify a more complex set of match
|
|
authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one or
|
|
more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates used
|
|
to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions are
|
|
certificate-extensions used for keyless
|
|
signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate issuer
|
|
used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the regular
|
|
expression to match identity used for
|
|
keyless signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more public
|
|
keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is used
|
|
to validate SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips transparency
|
|
log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address of
|
|
the transparency log. Defaults to
|
|
the public Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret resource
|
|
that contains a public key
|
|
properties:
|
|
name:
|
|
description: Name of the secret. The
|
|
provided secret must contain a key
|
|
named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm for
|
|
public keys. Supported values are sha224,
|
|
sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a
|
|
digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
schemaValidation:
|
|
description: Deprecated.
|
|
type: boolean
|
|
useServerSideApply:
|
|
description: |-
|
|
UseServerSideApply controls whether to use server-side apply for generate rules
|
|
If is set to "true" create & update for generate rules will use apply instead of create/update.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
validationFailureAction:
|
|
default: Audit
|
|
description: Deprecated, use validationFailureAction under the validate
|
|
rule instead.
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
validationFailureActionOverrides:
|
|
description: Deprecated, use validationFailureActionOverrides under
|
|
the validate rule instead.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the policy validation
|
|
failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
webhookConfiguration:
|
|
description: WebhookConfiguration specifies the custom configuration
|
|
for Kubernetes admission webhookconfiguration.
|
|
properties:
|
|
failurePolicy:
|
|
description: |-
|
|
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
|
|
Rules within the same policy share the same failure behavior.
|
|
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
|
|
Allowed values are Ignore or Fail. Defaults to Fail.
|
|
enum:
|
|
- Ignore
|
|
- Fail
|
|
type: string
|
|
matchConditions:
|
|
description: |-
|
|
MatchCondition configures admission webhook matchConditions.
|
|
Requires Kubernetes 1.27 or later.
|
|
items:
|
|
description: MatchCondition represents a condition which must
|
|
by fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
timeoutSeconds:
|
|
description: |-
|
|
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
|
|
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
|
|
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
webhookTimeoutSeconds:
|
|
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
|
|
instead.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
status:
|
|
description: Status contains policy runtime data.
|
|
properties:
|
|
autogen:
|
|
description: AutogenStatus contains autogen status information.
|
|
properties:
|
|
rules:
|
|
description: Rules is a list of Rule instances. It contains auto
|
|
generated rules added for pod controllers
|
|
items:
|
|
description: |-
|
|
Rule defines a validation, mutation, or generation control for matching resources.
|
|
Each rules contains a match declaration to select resources, and an optional exclude
|
|
declaration to specify which resources to exclude.
|
|
properties:
|
|
celPreconditions:
|
|
description: |-
|
|
CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of CEL conditions. It can only be used with the validate.cel subrule
|
|
items:
|
|
description: MatchCondition represents a condition which
|
|
must be fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
context:
|
|
description: Context defines variables and data sources
|
|
that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains the HTTP POST
|
|
data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request type (GET
|
|
or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference is a reference
|
|
to a cached global context entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides
|
|
credentials that will be used for authentication
|
|
with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows
|
|
insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary JMESPath
|
|
context variable that can be defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary JSON object
|
|
representable in YAML or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
exclude:
|
|
description: |-
|
|
ExcludeResources defines when this policy rule should not be applied. The exclude
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the name or role.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
generate:
|
|
description: Generation is used to create new resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
foreach:
|
|
description: ForEach applies generate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
clone:
|
|
description: |-
|
|
Clone specifies the source resource used to populate each generated resource.
|
|
At most one of Data or Clone can be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
properties:
|
|
name:
|
|
description: Name specifies name of the resource.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
type: object
|
|
cloneList:
|
|
description: CloneList specifies the list of source
|
|
resource used to populate each generated resource.
|
|
properties:
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespace:
|
|
description: Namespace specifies source resource
|
|
namespace.
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels`.
|
|
wildcard characters are not supported.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
data:
|
|
description: |-
|
|
Data provides the resource declaration used to populate each generated resource.
|
|
At most one of Data or Clone must be specified. If neither are provided, the generated
|
|
resource will be created with default data only.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
generateExisting:
|
|
description: |-
|
|
GenerateExisting controls whether to trigger the rule in existing resources
|
|
If is set to "true" the rule will be triggered and applied to existing matched resources.
|
|
type: boolean
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
orphanDownstreamOnPolicyDelete:
|
|
description: |-
|
|
OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
|
|
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
|
|
See https://kyverno.io/docs/writing-policies/generate/#data-examples.
|
|
Defaults to "false" if not specified.
|
|
type: boolean
|
|
synchronize:
|
|
description: |-
|
|
Synchronize controls if generated resources should be kept in-sync with their source resource.
|
|
If Synchronize is set to "true" changes to generated resources will be overwritten with resource
|
|
data from Data or the resource specified in the Clone declaration.
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
imageExtractors:
|
|
additionalProperties:
|
|
items:
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath expression to apply to the image value.
|
|
This is useful when the extracted image begins with a prefix like 'docker://'.
|
|
The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
|
|
Note - Image digest mutation may not be used when applying a JMESPAth to an image.
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
|
|
Note - this field MUST be unique.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the entry the image will be available under 'images.<name>' in the context.
|
|
If this field is not defined, image entries will appear under 'images.custom'.
|
|
type: string
|
|
path:
|
|
description: |-
|
|
Path is the path to the object containing the image field in a custom resource.
|
|
It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
|
|
Wildcard keys are expanded in case of arrays or objects.
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is an optional name of the field within 'path' that points to the image URI.
|
|
This is useful when a custom 'key' is also defined.
|
|
type: string
|
|
required:
|
|
- path
|
|
type: object
|
|
type: array
|
|
description: |-
|
|
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
|
|
This config is only valid for verifyImages rules.
|
|
type: object
|
|
match:
|
|
description: |-
|
|
MatchResources defines when this policy rule should be applied. The match
|
|
criteria can include resource information (e.g. kind, name, namespace, labels)
|
|
and admission review request information like the user name or role.
|
|
At least one kind is required.
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will
|
|
be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will
|
|
be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or
|
|
"OR" between resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information
|
|
about the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values
|
|
["CREATE, "UPDATE", "CONNECT", "DELETE"],
|
|
which are used to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have
|
|
one of the values CREATE, UPDATE, CONNECT,
|
|
DELETE, which are used to match a specific
|
|
action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The
|
|
requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names
|
|
like users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide
|
|
role names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: |-
|
|
ResourceDescription contains information about the resource being created or modified.
|
|
Requires at least one tag to be specified when under MatchResources.
|
|
Specifying ResourceDescription directly under match is being deprecated.
|
|
Please specify under "any" or "all" instead.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used
|
|
to match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of
|
|
the values CREATE, UPDATE, CONNECT, DELETE,
|
|
which are used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are
|
|
ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
mutate:
|
|
description: Mutation is used to modify matching resources.
|
|
properties:
|
|
foreach:
|
|
description: ForEach applies mutation rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachMutation applies mutation rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
order:
|
|
description: |-
|
|
Order defines the iteration order on the list.
|
|
Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
|
|
enum:
|
|
- Ascending
|
|
- Descending
|
|
type: string
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
mutateExistingOnPolicyUpdate:
|
|
description: MutateExistingOnPolicyUpdate controls if
|
|
the mutateExisting rule will be applied on policy
|
|
events.
|
|
type: boolean
|
|
patchStrategicMerge:
|
|
description: |-
|
|
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
|
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
|
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
patchesJson6902:
|
|
description: |-
|
|
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
|
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
|
type: string
|
|
targets:
|
|
description: Targets defines the target resources to
|
|
be mutated.
|
|
items:
|
|
description: TargetResourceSpec defines targets for
|
|
mutating existing resources.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
name:
|
|
description: Name is a label to identify the rule, It must
|
|
be unique within the policy.
|
|
maxLength: 63
|
|
type: string
|
|
preconditions:
|
|
description: |-
|
|
Preconditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
|
|
of conditions (without `any` or `all` statements is supported for backwards compatibility but
|
|
will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
reportProperties:
|
|
additionalProperties:
|
|
type: string
|
|
description: ReportProperties are the additional properties
|
|
from the rule that will be added to the policy report
|
|
result
|
|
type: object
|
|
skipBackgroundRequests:
|
|
default: true
|
|
description: |-
|
|
SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
|
|
The default value is set to "true", it must be set to "false" to apply
|
|
generate and mutateExisting rules to those requests.
|
|
type: boolean
|
|
validate:
|
|
description: Validation is used to validate matching resources.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
assert:
|
|
description: Assert defines a kyverno-json assertion
|
|
tree.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
cel:
|
|
description: CEL allows validation checks using the
|
|
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
|
properties:
|
|
auditAnnotations:
|
|
description: AuditAnnotations contains CEL expressions
|
|
which are used to produce audit annotations for
|
|
the audit event of the API request.
|
|
items:
|
|
description: AuditAnnotation describes how to
|
|
produce an audit annotation for an API request.
|
|
properties:
|
|
key:
|
|
description: |-
|
|
key specifies the audit annotation key. The audit annotation keys of
|
|
a ValidatingAdmissionPolicy must be unique. The key must be a qualified
|
|
name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
|
|
|
|
The key is combined with the resource name of the
|
|
ValidatingAdmissionPolicy to construct an audit annotation key:
|
|
"{ValidatingAdmissionPolicy name}/{key}".
|
|
|
|
If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
|
|
and the same audit annotation key, the annotation key will be identical.
|
|
In this case, the first annotation written with the key will be included
|
|
in the audit event and all subsequent annotations with the same key
|
|
will be discarded.
|
|
|
|
Required.
|
|
type: string
|
|
valueExpression:
|
|
description: |-
|
|
valueExpression represents the expression which is evaluated by CEL to
|
|
produce an audit annotation value. The expression must evaluate to either
|
|
a string or null value. If the expression evaluates to a string, the
|
|
audit annotation is included with the string value. If the expression
|
|
evaluates to null or empty string the audit annotation will be omitted.
|
|
The valueExpression may be no longer than 5kb in length.
|
|
If the result of the valueExpression is more than 10kb in length, it
|
|
will be truncated to 10kb.
|
|
|
|
If multiple ValidatingAdmissionPolicyBinding resources match an
|
|
API request, then the valueExpression will be evaluated for
|
|
each binding. All unique values produced by the valueExpressions
|
|
will be joined together in a comma-separated list.
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- key
|
|
- valueExpression
|
|
type: object
|
|
type: array
|
|
expressions:
|
|
description: Expressions is a list of CELExpression
|
|
types.
|
|
items:
|
|
description: Validation specifies the CEL expression
|
|
which is used to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression
|
|
which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents
|
|
of the API request/response, organized into
|
|
CEL variables as well as some other useful
|
|
variables:\n\n- 'object' - The object from
|
|
the incoming request. The value is null
|
|
for DELETE requests.\n- 'oldObject' - The
|
|
existing object. The value is null for CREATE
|
|
requests.\n- 'request' - Attributes of the
|
|
API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to
|
|
by the policy binding being evaluated. Only
|
|
populated if the policy has a ParamKind.\n-
|
|
'namespaceObject' - The namespace object
|
|
that the incoming object belongs to. The
|
|
value is null for cluster-scoped resources.\n-
|
|
'variables' - Map of composited variables,
|
|
from its name to its lazily evaluated value.\n
|
|
\ For example, a variable named 'foo' can
|
|
be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform
|
|
authorization checks for the principal (user
|
|
or service account) of the request.\n See
|
|
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck
|
|
constructed from the 'authorizer' and configured
|
|
with the\n request resource.\n\nThe `apiVersion`,
|
|
`kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject.
|
|
No other metadata properties are accessible.\n\nOnly
|
|
property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
|
|
are accessible.\nAccessible property names
|
|
are escaped according to the following rules
|
|
when accessed in the expression:\n- '__'
|
|
escapes to '__underscores__'\n- '.' escapes
|
|
to '__dot__'\n- '-' escapes to '__dash__'\n-
|
|
'/' escapes to '__slash__'\n- Property names
|
|
that exactly match a CEL RESERVED keyword
|
|
escape to '__{keyword}__'. The keywords
|
|
are:\n\t \"true\", \"false\", \"null\",
|
|
\"in\", \"as\", \"break\", \"const\", \"continue\",
|
|
\"else\", \"for\", \"function\", \"if\",\n\t
|
|
\ \"import\", \"let\", \"loop\", \"package\",
|
|
\"namespace\", \"return\".\nExamples:\n
|
|
\ - Expression accessing a property named
|
|
\"namespace\": {\"Expression\": \"object.__namespace__
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"x-prop\": {\"Expression\": \"object.x__dash__prop
|
|
> 0\"}\n - Expression accessing a property
|
|
named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
|
|
> 0\"}\n\nEquality on arrays with list type
|
|
of 'set' or 'map' ignores element order,
|
|
i.e. [1, 2] == [2, 1].\nConcatenation on
|
|
arrays with x-kubernetes-list-type use the
|
|
semantics of the list type:\n - 'set':
|
|
`X + Y` performs a union where the array
|
|
positions of all elements in `X` are preserved
|
|
and\n non-intersecting elements in `Y`
|
|
are appended, retaining their partial order.\n
|
|
\ - 'map': `X + Y` performs a merge where
|
|
the array positions of all keys in `X` are
|
|
preserved but the values\n are overwritten
|
|
by values in `Y` when the key sets of `X`
|
|
and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended,
|
|
retaining their partial order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
paramKind:
|
|
description: ParamKind is a tuple of Group Kind
|
|
and Version.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion is the API group version the resources belong to.
|
|
In format of "group/version".
|
|
Required.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is the API kind the resources belong to.
|
|
Required.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
paramRef:
|
|
description: ParamRef references a parameter resource.
|
|
properties:
|
|
name:
|
|
description: |-
|
|
name is the name of the resource being referenced.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
|
|
A single parameter used for all admission requests can be configured
|
|
by setting the `name` field, leaving `selector` blank, and setting namespace
|
|
if `paramKind` is namespace-scoped.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
namespace is the namespace of the referenced resource. Allows limiting
|
|
the search for params to a specific namespace. Applies to both `name` and
|
|
`selector` fields.
|
|
|
|
A per-namespace parameter may be used by specifying a namespace-scoped
|
|
`paramKind` in the policy and leaving this field empty.
|
|
|
|
- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
|
|
field results in a configuration error.
|
|
|
|
- If `paramKind` is namespace-scoped, the namespace of the object being
|
|
evaluated for admission will be used when this field is left unset. Take
|
|
care that if this is left empty the binding must not match any cluster-scoped
|
|
resources, which will result in an error.
|
|
type: string
|
|
parameterNotFoundAction:
|
|
description: |-
|
|
`parameterNotFoundAction` controls the behavior of the binding when the resource
|
|
exists, and name or selector is valid, but there are no parameters
|
|
matched by the binding. If the value is set to `Allow`, then no
|
|
matched parameters will be treated as successful validation by the binding.
|
|
If set to `Deny`, then no matched parameters will be subject to the
|
|
`failurePolicy` of the policy.
|
|
|
|
Allowed values are `Allow` or `Deny`
|
|
|
|
Required
|
|
type: string
|
|
selector:
|
|
description: |-
|
|
selector can be used to match multiple param objects based on their labels.
|
|
Supply selector: {} to match all resources of the ParamKind.
|
|
|
|
If multiple params are found, they are all evaluated with the policy expressions
|
|
and the results are ANDed together.
|
|
|
|
One of `name` or `selector` must be set, but `name` and `selector` are
|
|
mutually exclusive properties. If one is set, the other must be unset.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list
|
|
of label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key
|
|
that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
The variables defined here will be available under `variables` in other expressions of the policy.
|
|
items:
|
|
description: Variable is the definition of a variable
|
|
that is used for composition. A variable is
|
|
defined as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny defines conditions used to pass or
|
|
fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
failureAction:
|
|
description: |-
|
|
FailureAction defines if a validation policy rule violation should block
|
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
and report an error in a policy report. Optional.
|
|
Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
failureActionOverrides:
|
|
description: |-
|
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
|
items:
|
|
properties:
|
|
action:
|
|
description: ValidationFailureAction defines the
|
|
policy validation failure action
|
|
enum:
|
|
- audit
|
|
- enforce
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
label selector matches no objects.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of
|
|
label selector requirements. The requirements
|
|
are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that
|
|
the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: array
|
|
foreach:
|
|
description: ForEach applies validate rules to a list
|
|
of sub-elements by creating a context for each entry
|
|
in the list and looping over it to apply the specified
|
|
logic.
|
|
items:
|
|
description: ForEachValidation applies validate rules
|
|
to a list of sub-elements by creating a context
|
|
for each entry in the list and looping over it to
|
|
apply the specified logic.
|
|
properties:
|
|
anyPattern:
|
|
description: |-
|
|
AnyPattern specifies list of validation patterns. At least one of the patterns
|
|
must be satisfied for the validation rule to succeed.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
context:
|
|
description: Context defines variables and data
|
|
sources that can be used during rule execution.
|
|
items:
|
|
description: |-
|
|
ContextEntry adds variables and data sources to a rule Context. Either a
|
|
ConfigMap reference or a APILookup must be provided.
|
|
oneOf:
|
|
- required:
|
|
- configMap
|
|
- required:
|
|
- apiCall
|
|
- required:
|
|
- imageRegistry
|
|
- required:
|
|
- variable
|
|
- required:
|
|
- globalReference
|
|
properties:
|
|
apiCall:
|
|
description: |-
|
|
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
|
|
The data returned is stored in the context with the name for the context entry.
|
|
properties:
|
|
data:
|
|
description: |-
|
|
The data object specifies the POST data sent to the server.
|
|
Only applicable when the method field is set to POST.
|
|
items:
|
|
description: RequestData contains
|
|
the HTTP POST data
|
|
properties:
|
|
key:
|
|
description: Key is a unique identifier
|
|
for the data value
|
|
type: string
|
|
value:
|
|
description: Value is the data
|
|
value
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
required:
|
|
- key
|
|
- value
|
|
type: object
|
|
type: array
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the context may take if the apiCall
|
|
returns error
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
method:
|
|
default: GET
|
|
description: Method is the HTTP request
|
|
type (GET or POST). Defaults to GET.
|
|
enum:
|
|
- GET
|
|
- POST
|
|
type: string
|
|
service:
|
|
description: |-
|
|
Service is an API call to a JSON web service.
|
|
This is used for non-Kubernetes API server calls.
|
|
It's mutually exclusive with the URLPath field.
|
|
properties:
|
|
caBundle:
|
|
description: |-
|
|
CABundle is a PEM encoded CA bundle which will be used to validate
|
|
the server certificate.
|
|
type: string
|
|
url:
|
|
description: |-
|
|
URL is the JSON web service URL. A typical form is
|
|
`https://{service}.{namespace}:{port}/{path}`.
|
|
type: string
|
|
required:
|
|
- url
|
|
type: object
|
|
urlPath:
|
|
description: |-
|
|
URLPath is the URL path to be used in the HTTP GET or POST request to the
|
|
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
|
|
The format required is the same format used by the `kubectl get --raw` command.
|
|
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
|
|
for details.
|
|
It's mutually exclusive with the Service field.
|
|
type: string
|
|
type: object
|
|
configMap:
|
|
description: ConfigMap is the ConfigMap
|
|
reference.
|
|
properties:
|
|
name:
|
|
description: Name is the ConfigMap name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the ConfigMap
|
|
namespace.
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
globalReference:
|
|
description: GlobalContextEntryReference
|
|
is a reference to a cached global context
|
|
entry.
|
|
properties:
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the JSON response returned from the server. For example
|
|
a JMESPath of "items | length(@)" applied to the API server response
|
|
for the URLPath "/apis/apps/v1/deployments" will return the total count
|
|
of deployments across all namespaces.
|
|
type: string
|
|
name:
|
|
description: Name of the global context
|
|
entry
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
imageRegistry:
|
|
description: |-
|
|
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
|
|
details.
|
|
properties:
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials
|
|
provides credentials that will be
|
|
used for authentication with registry
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry
|
|
allows insecure access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JSON Match Expression that can be used to
|
|
transform the ImageData struct returned as a result of processing
|
|
the image reference.
|
|
type: string
|
|
reference:
|
|
description: |-
|
|
Reference is image reference to a container image in the registry.
|
|
Example: ghcr.io/kyverno/kyverno:latest
|
|
type: string
|
|
required:
|
|
- reference
|
|
type: object
|
|
name:
|
|
description: Name is the variable name.
|
|
type: string
|
|
variable:
|
|
description: Variable defines an arbitrary
|
|
JMESPath context variable that can be
|
|
defined inline.
|
|
properties:
|
|
default:
|
|
description: |-
|
|
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
|
|
expression evaluates to nil
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
jmesPath:
|
|
description: |-
|
|
JMESPath is an optional JMESPath Expression that can be used to
|
|
transform the variable.
|
|
type: string
|
|
value:
|
|
description: Value is any arbitrary
|
|
JSON object representable in YAML
|
|
or JSON form.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
deny:
|
|
description: Deny defines conditions used to pass
|
|
or fail a validation rule.
|
|
properties:
|
|
conditions:
|
|
description: |-
|
|
Multiple conditions can be declared under an `any` or `all` statement. A direct list
|
|
of conditions (without `any` or `all` statements) is also supported for backwards compatibility
|
|
but will be deprecated in the next major release.
|
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
elementScope:
|
|
description: |-
|
|
ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
|
|
When set to "false", "request.object" is used as the validation scope within the foreach
|
|
block to allow referencing other elements in the subtree.
|
|
type: boolean
|
|
foreach:
|
|
description: Foreach declares a nested foreach
|
|
iterator
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
list:
|
|
description: |-
|
|
List specifies a JMESPath expression that results in one or more elements
|
|
to which the validation logic is applied.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style
|
|
pattern used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
preconditions:
|
|
description: |-
|
|
AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
See: https://kyverno.io/docs/writing-policies/preconditions/
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context entry
|
|
(using JMESPath) for conditional rule
|
|
evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
manifests:
|
|
description: Manifest specifies conditions for manifest
|
|
verification
|
|
properties:
|
|
annotationDomain:
|
|
description: AnnotationDomain is custom domain of
|
|
annotation for message and signature. Default
|
|
is "cosign.sigstore.dev".
|
|
type: string
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more
|
|
complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the
|
|
regular expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for
|
|
example the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set,
|
|
is used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
dryRun:
|
|
description: DryRun configuration
|
|
properties:
|
|
enable:
|
|
type: boolean
|
|
namespace:
|
|
type: string
|
|
type: object
|
|
ignoreFields:
|
|
description: Fields which will be ignored while
|
|
comparing manifests.
|
|
items:
|
|
properties:
|
|
fields:
|
|
items:
|
|
type: string
|
|
type: array
|
|
objects:
|
|
items:
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
version:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for resource bundle reference.
|
|
The repository can be overridden per Attestor or Attestation.
|
|
type: string
|
|
type: object
|
|
message:
|
|
description: Message specifies a custom message to be
|
|
displayed on failure.
|
|
type: string
|
|
pattern:
|
|
description: Pattern specifies an overlay-style pattern
|
|
used to check resources.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity applies exemptions for Kubernetes Pod Security admission
|
|
by specifying exclusions for Pod Security Standards controls.
|
|
properties:
|
|
exclude:
|
|
description: Exclude specifies the Pod Security
|
|
Standard controls to be excluded.
|
|
items:
|
|
description: PodSecurityStandard specifies the
|
|
Pod Security Standard controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values
|
|
that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
level:
|
|
description: |-
|
|
Level defines the Pod Security Standard level to be applied to workloads.
|
|
Allowed values are privileged, baseline, and restricted.
|
|
enum:
|
|
- privileged
|
|
- baseline
|
|
- restricted
|
|
type: string
|
|
version:
|
|
description: |-
|
|
Version defines the Pod Security Standard versions that Kubernetes supports.
|
|
Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
|
|
enum:
|
|
- v1.19
|
|
- v1.20
|
|
- v1.21
|
|
- v1.22
|
|
- v1.23
|
|
- v1.24
|
|
- v1.25
|
|
- v1.26
|
|
- v1.27
|
|
- v1.28
|
|
- v1.29
|
|
- latest
|
|
type: string
|
|
type: object
|
|
type: object
|
|
verifyImages:
|
|
description: VerifyImages is used to verify image signatures
|
|
and mutate them to add a digest
|
|
items:
|
|
description: |-
|
|
ImageVerification validates that images that match the specified pattern
|
|
are signed with the supplied public key. Once the image is verified it is
|
|
mutated to include the SHA digest retrieved during the registration.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated.
|
|
type: object
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Deprecated. Use annotations per Attestor
|
|
instead.
|
|
type: object
|
|
attestations:
|
|
description: |-
|
|
Attestations are optional checks for signed in-toto Statements used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statement declarations.
|
|
items:
|
|
description: |-
|
|
Attestation are checks for signed in-toto Statements that are used to verify the image.
|
|
See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
|
|
OCI registry and decodes them into a list of Statements.
|
|
properties:
|
|
attestors:
|
|
description: Attestors specify the required
|
|
attestors (i.e. authorities).
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested
|
|
set of Attestor used to specify
|
|
a more complex set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies
|
|
one or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional
|
|
PEM-encoded public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an
|
|
optional PEM encoded set of
|
|
certificates used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions
|
|
used for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is
|
|
the regular expression to
|
|
match certificate issuer used
|
|
for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the
|
|
verified identity used for
|
|
keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is
|
|
the regular expression to
|
|
match identity used for keyless
|
|
signing, for example the email
|
|
address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one
|
|
or more public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if
|
|
set, is used to validate
|
|
SCTs against a custom
|
|
source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog
|
|
skips transparency log
|
|
verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the
|
|
address of the transparency
|
|
log. Defaults to the public
|
|
Rekor log instance https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a
|
|
Secret resource that contains
|
|
a public key
|
|
properties:
|
|
name:
|
|
description: Name of the
|
|
secret. The provided secret
|
|
must contain a key named
|
|
cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name
|
|
where the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use
|
|
attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values
|
|
are sha224, sha256, sha384 and
|
|
sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to verify attributes within a Predicate. If no Conditions are specified
|
|
the attestation check is satisfied as long there are predicates that match the predicate type.
|
|
items:
|
|
description: |-
|
|
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
|
AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
|
AllConditions get fulfilled only when all of its sub-conditions pass.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass
|
|
items:
|
|
description: Condition defines variable-based
|
|
conditional criteria for rule execution.
|
|
properties:
|
|
key:
|
|
description: Key is the context
|
|
entry (using JMESPath) for conditional
|
|
rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional
|
|
display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- In
|
|
- AnyIn
|
|
- AllIn
|
|
- NotIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
predicateType:
|
|
description: Deprecated in favour of 'Type',
|
|
to be removed soon
|
|
type: string
|
|
type:
|
|
description: Type defines the type of attestation
|
|
contained within the Statement.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors specified the required attestors
|
|
(i.e. authorities)
|
|
items:
|
|
properties:
|
|
count:
|
|
description: |-
|
|
Count specifies the required number of entries that must match. If the count is null, all entries must match
|
|
(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
|
|
value N, then N must be less than or equal to the size of entries, and at least N entries must match.
|
|
minimum: 1
|
|
type: integer
|
|
entries:
|
|
description: |-
|
|
Entries contains the available attestors. An attestor can be a static key,
|
|
attributes for keyless verification, or a nested attestor declaration.
|
|
items:
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
attestor:
|
|
description: Attestor is a nested set
|
|
of Attestor used to specify a more complex
|
|
set of match authorities.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
certificates:
|
|
description: Certificates specifies one
|
|
or more certificates.
|
|
properties:
|
|
cert:
|
|
description: Cert is an optional PEM-encoded
|
|
public certificate.
|
|
type: string
|
|
certChain:
|
|
description: CertChain is an optional
|
|
PEM encoded set of certificates
|
|
used to verify.
|
|
type: string
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
keyless:
|
|
description: |-
|
|
Keyless is a set of attribute used to verify a Sigstore keyless attestor.
|
|
See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
|
|
properties:
|
|
additionalExtensions:
|
|
additionalProperties:
|
|
type: string
|
|
description: AdditionalExtensions
|
|
are certificate-extensions used
|
|
for keyless signing.
|
|
type: object
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
issuer:
|
|
description: Issuer is the certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp is the regular
|
|
expression to match certificate
|
|
issuer used for keyless signing.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
subject:
|
|
description: Subject is the verified
|
|
identity used for keyless signing,
|
|
for example the email address.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp is the
|
|
regular expression to match identity
|
|
used for keyless signing, for example
|
|
the email address.
|
|
type: string
|
|
type: object
|
|
keys:
|
|
description: Keys specifies one or more
|
|
public keys.
|
|
properties:
|
|
ctlog:
|
|
description: |-
|
|
CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
|
|
Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
|
|
properties:
|
|
ignoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
pubkey:
|
|
description: PubKey, if set, is
|
|
used to validate SCTs against
|
|
a custom source.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
type: object
|
|
kms:
|
|
description: |-
|
|
KMS provides the URI to the public key stored in a Key Management System. See:
|
|
https://github.com/sigstore/cosign/blob/main/KMS.md
|
|
type: string
|
|
publicKeys:
|
|
description: |-
|
|
Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
|
|
specified or can be a variable reference to a key specified in a ConfigMap (see
|
|
https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
|
|
elsewhere in the cluster by specifying it in the format "k8s://<namespace>/<secret_name>".
|
|
The named Secret must specify a key `cosign.pub` containing the public key used for
|
|
verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
|
|
When multiple keys are specified each key is processed as a separate staticKey entry
|
|
(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
|
type: string
|
|
rekor:
|
|
description: |-
|
|
Rekor provides configuration for the Rekor transparency log service. If an empty object
|
|
is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
|
|
properties:
|
|
ignoreTlog:
|
|
description: IgnoreTlog skips
|
|
transparency log verification.
|
|
type: boolean
|
|
pubkey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
url:
|
|
description: URL is the address
|
|
of the transparency log. Defaults
|
|
to the public Rekor log instance
|
|
https://rekor.sigstore.dev.
|
|
type: string
|
|
type: object
|
|
secret:
|
|
description: Reference to a Secret
|
|
resource that contains a public
|
|
key
|
|
properties:
|
|
name:
|
|
description: Name of the secret.
|
|
The provided secret must contain
|
|
a key named cosign.pub.
|
|
type: string
|
|
namespace:
|
|
description: Namespace name where
|
|
the Secret exists.
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Deprecated. Use attestor.signatureAlgorithm
|
|
instead.
|
|
type: string
|
|
type: object
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
|
|
If specified Repository will override other OCI image repository locations for this Attestor.
|
|
type: string
|
|
signatureAlgorithm:
|
|
default: sha256
|
|
description: Specify signature algorithm
|
|
for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
cosignOCI11:
|
|
description: |-
|
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
|
Defaults to false.
|
|
type: boolean
|
|
failureAction:
|
|
description: Allowed values are Audit or Enforce.
|
|
enum:
|
|
- Audit
|
|
- Enforce
|
|
type: string
|
|
image:
|
|
description: Deprecated. Use ImageReferences instead.
|
|
type: string
|
|
imageReferences:
|
|
description: |-
|
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
|
list must match the image for the rule to apply. Each image reference consists of a registry
|
|
address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
imageRegistryCredentials:
|
|
description: ImageRegistryCredentials provides credentials
|
|
that will be used for authentication with registry.
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure
|
|
access to a registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: ImageRegistryCredentialsProvidersType
|
|
provides the list of credential providers
|
|
required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
issuer:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
key:
|
|
description: Deprecated. Use StaticKeyAttestor instead.
|
|
type: string
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
repository:
|
|
description: |-
|
|
Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
|
|
If specified Repository will override the default OCI image repository configured for the installation.
|
|
The repository can also be overridden per Attestor or Attestation.
|
|
type: string
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified
|
|
i.e. have matched passed a signature or attestation
|
|
check.
|
|
type: boolean
|
|
roots:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
skipImageReferences:
|
|
description: |-
|
|
SkipImageReferences is a list of matching image reference patterns that should be skipped.
|
|
At least one pattern in the list must match the image for the rule to be skipped. Each image reference
|
|
consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subject:
|
|
description: Deprecated. Use KeylessAttestor instead.
|
|
type: string
|
|
type:
|
|
description: |-
|
|
Type specifies the method of signature validation. The allowed options
|
|
are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
|
enum:
|
|
- Cosign
|
|
- SigstoreBundle
|
|
- Notary
|
|
type: string
|
|
useCache:
|
|
default: true
|
|
description: UseCache enables caching of image verify
|
|
responses for this rule.
|
|
type: boolean
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have
|
|
a digest.
|
|
type: boolean
|
|
type: object
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
type: object
|
|
conditions:
|
|
items:
|
|
description: Condition contains details for one aspect of the current
|
|
state of this API Resource.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: |-
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: |-
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: |-
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: |-
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
ready:
|
|
description: Deprecated in favor of Conditions
|
|
type: boolean
|
|
rulecount:
|
|
description: |-
|
|
RuleCountStatus contains four variables which describes counts for
|
|
validate, generate, mutate and verify images rules
|
|
properties:
|
|
generate:
|
|
description: Count for generate rules in policy
|
|
type: integer
|
|
mutate:
|
|
description: Count for mutate rules in policy
|
|
type: integer
|
|
validate:
|
|
description: Count for validate rules in policy
|
|
type: integer
|
|
verifyimages:
|
|
description: Count for verify image rules in policy
|
|
type: integer
|
|
required:
|
|
- generate
|
|
- mutate
|
|
- validate
|
|
- verifyimages
|
|
type: object
|
|
validatingadmissionpolicy:
|
|
description: ValidatingAdmissionPolicy contains status information
|
|
properties:
|
|
generated:
|
|
description: Generated indicates whether a validating admission
|
|
policy is generated from the policy or not
|
|
type: boolean
|
|
message:
|
|
description: |-
|
|
Message is a human readable message indicating details about the generation of validating admission policy
|
|
It is an empty string when validating admission policy is successfully generated.
|
|
type: string
|
|
required:
|
|
- generated
|
|
- message
|
|
type: object
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: policyexceptions.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: PolicyException
|
|
listKind: PolicyExceptionList
|
|
plural: policyexceptions
|
|
shortNames:
|
|
- polex
|
|
singular: policyexception
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: PolicyException declares resources to be excluded from specified
|
|
policies.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy exception behaviors.
|
|
properties:
|
|
background:
|
|
description: |-
|
|
Background controls if exceptions are applied to existing policies during a background scan.
|
|
Optional. Default value is "true". The value must be set to "false" if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).
|
|
type: boolean
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to determine if a resource applies to the exception by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
exceptions:
|
|
description: Exceptions is a list policy/rules to be excluded
|
|
items:
|
|
description: Exception stores infos about a policy and rules
|
|
properties:
|
|
policyName:
|
|
description: |-
|
|
PolicyName identifies the policy to which the exception is applied.
|
|
The policy name uses the format <namespace>/<name> unless it
|
|
references a ClusterPolicy.
|
|
type: string
|
|
ruleNames:
|
|
description: RuleNames identifies the rules to which the exception
|
|
is applied.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- policyName
|
|
- ruleNames
|
|
type: object
|
|
type: array
|
|
match:
|
|
description: Match defines match clause used to check if a resource
|
|
applies to the exception
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity specifies the Pod Security Standard controls to be excluded.
|
|
Applicable only to policies that have validate.podSecurity subrule.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
required:
|
|
- exceptions
|
|
- match
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
- deprecated: true
|
|
name: v2beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: PolicyException declares resources to be excluded from specified
|
|
policies.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec declares policy exception behaviors.
|
|
properties:
|
|
background:
|
|
description: |-
|
|
Background controls if exceptions are applied to existing policies during a background scan.
|
|
Optional. Default value is "true". The value must be set to "false" if the policy rule
|
|
uses variables that are only available in the admission review request (e.g. user name).
|
|
type: boolean
|
|
conditions:
|
|
description: |-
|
|
Conditions are used to determine if a resource applies to the exception by evaluating a
|
|
set of conditions. The declaration can contain nested `any` or `all` statements.
|
|
properties:
|
|
all:
|
|
description: |-
|
|
AllConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, all of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: |-
|
|
AnyConditions enable variable-based conditional rule execution. This is useful for
|
|
finer control of when an rule is applied. A condition can reference object data
|
|
using JMESPath notation.
|
|
Here, at least one of the conditions need to pass.
|
|
items:
|
|
properties:
|
|
key:
|
|
description: Key is the context entry (using JMESPath) for
|
|
conditional rule evaluation.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
message:
|
|
description: Message is an optional display message
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
Operator is the conditional operation to perform. Valid operators are:
|
|
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
|
|
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
|
|
DurationLessThanOrEquals, DurationLessThan
|
|
enum:
|
|
- Equals
|
|
- NotEquals
|
|
- AnyIn
|
|
- AllIn
|
|
- AnyNotIn
|
|
- AllNotIn
|
|
- GreaterThanOrEquals
|
|
- GreaterThan
|
|
- LessThanOrEquals
|
|
- LessThan
|
|
- DurationGreaterThanOrEquals
|
|
- DurationGreaterThan
|
|
- DurationLessThanOrEquals
|
|
- DurationLessThan
|
|
type: string
|
|
value:
|
|
description: |-
|
|
Value is the conditional value, or set of values. The values can be fixed set
|
|
or can be variables declared using JMESPath.
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
type: object
|
|
type: array
|
|
type: object
|
|
exceptions:
|
|
description: Exceptions is a list policy/rules to be excluded
|
|
items:
|
|
description: Exception stores infos about a policy and rules
|
|
properties:
|
|
policyName:
|
|
description: |-
|
|
PolicyName identifies the policy to which the exception is applied.
|
|
The policy name uses the format <namespace>/<name> unless it
|
|
references a ClusterPolicy.
|
|
type: string
|
|
ruleNames:
|
|
description: RuleNames identifies the rules to which the exception
|
|
is applied.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- policyName
|
|
- ruleNames
|
|
type: object
|
|
type: array
|
|
match:
|
|
description: Match defines match clause used to check if a resource
|
|
applies to the exception
|
|
not:
|
|
required:
|
|
- any
|
|
- all
|
|
properties:
|
|
all:
|
|
description: All allows specifying resources which will be ANDed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
any:
|
|
description: Any allows specifying resources which will be ORed
|
|
items:
|
|
description: ResourceFilter allow users to "AND" or "OR" between
|
|
resources
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is the list of cluster-wide role
|
|
names for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
resources:
|
|
description: ResourceDescription contains information about
|
|
the resource being created or modified.
|
|
not:
|
|
required:
|
|
- name
|
|
- names
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
|
|
and values support the wildcard characters "*" (matches zero or many characters) and
|
|
"?" (matches at least one character).
|
|
type: object
|
|
kinds:
|
|
description: Kinds is a list of resource kinds.
|
|
items:
|
|
type: string
|
|
type: array
|
|
name:
|
|
description: |-
|
|
Name is the name of the resource. The name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
NOTE: "Name" is being deprecated in favor of "Names".
|
|
type: string
|
|
names:
|
|
description: |-
|
|
Names are the names of the resources. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector is a label selector for the resource namespace. Label keys and values
|
|
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
|
|
and `?` (matches one character).Wildcards allows writing label selectors like
|
|
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
|
|
does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
namespaces:
|
|
description: |-
|
|
Namespaces is a list of namespaces names. Each name supports wildcard characters
|
|
"*" (matches zero or many characters) and "?" (at least one character).
|
|
items:
|
|
type: string
|
|
type: array
|
|
operations:
|
|
description: Operations can contain values ["CREATE,
|
|
"UPDATE", "CONNECT", "DELETE"], which are used to
|
|
match a specific action.
|
|
items:
|
|
description: AdmissionOperation can have one of the
|
|
values CREATE, UPDATE, CONNECT, DELETE, which are
|
|
used to match a specific action.
|
|
enum:
|
|
- CREATE
|
|
- CONNECT
|
|
- UPDATE
|
|
- DELETE
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: |-
|
|
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
|
|
characters `*` (matches zero or many characters) and `?` (matches one character).
|
|
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
|
|
using ["*" : "*"] matches any key and value but does not match an empty label set.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label
|
|
selector requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the
|
|
selector applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
roles:
|
|
description: Roles is the list of namespaced role names
|
|
for the user.
|
|
items:
|
|
type: string
|
|
type: array
|
|
subjects:
|
|
description: Subjects is the list of subject names like
|
|
users, user groups, and service accounts.
|
|
items:
|
|
description: |-
|
|
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
|
|
or a value for non-objects such as user and group names.
|
|
properties:
|
|
apiGroup:
|
|
description: |-
|
|
APIGroup holds the API group of the referenced subject.
|
|
Defaults to "" for ServiceAccount subjects.
|
|
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
|
|
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
|
|
type: string
|
|
name:
|
|
description: Name of the object being referenced.
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
|
|
the Authorizer should report an error.
|
|
type: string
|
|
required:
|
|
- kind
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
type: object
|
|
type: array
|
|
type: object
|
|
podSecurity:
|
|
description: |-
|
|
PodSecurity specifies the Pod Security Standard controls to be excluded.
|
|
Applicable only to policies that have validate.podSecurity subrule.
|
|
items:
|
|
description: PodSecurityStandard specifies the Pod Security Standard
|
|
controls to be excluded.
|
|
properties:
|
|
controlName:
|
|
description: |-
|
|
ControlName specifies the name of the Pod Security Standard control.
|
|
See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
enum:
|
|
- HostProcess
|
|
- Host Namespaces
|
|
- Privileged Containers
|
|
- Capabilities
|
|
- HostPath Volumes
|
|
- Host Ports
|
|
- AppArmor
|
|
- SELinux
|
|
- /proc Mount Type
|
|
- Seccomp
|
|
- Sysctls
|
|
- Volume Types
|
|
- Privilege Escalation
|
|
- Running as Non-root
|
|
- Running as Non-root user
|
|
type: string
|
|
images:
|
|
description: |-
|
|
Images selects matching containers and applies the container level PSS.
|
|
Each image is the image name consisting of the registry address, repository, image, and tag.
|
|
Empty list matches no containers, PSS checks are applied at the pod level only.
|
|
Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
|
|
items:
|
|
type: string
|
|
type: array
|
|
restrictedField:
|
|
description: |-
|
|
RestrictedField selects the field for the given Pod Security Standard control.
|
|
When not set, all restricted fields for the control are selected.
|
|
type: string
|
|
values:
|
|
description: Values defines the allowed values that can be excluded.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- controlName
|
|
type: object
|
|
type: array
|
|
required:
|
|
- exceptions
|
|
- match
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: updaterequests.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: UpdateRequest
|
|
listKind: UpdateRequestList
|
|
plural: updaterequests
|
|
shortNames:
|
|
- ur
|
|
singular: updaterequest
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.policy
|
|
name: Policy
|
|
type: string
|
|
- jsonPath: .spec.rule
|
|
name: Rule
|
|
type: string
|
|
- jsonPath: .spec.requestType
|
|
name: RuleType
|
|
type: string
|
|
- jsonPath: .spec.resource.kind
|
|
name: ResourceKind
|
|
type: string
|
|
- jsonPath: .spec.resource.name
|
|
name: ResourceName
|
|
type: string
|
|
- jsonPath: .spec.resource.namespace
|
|
name: ResourceNamespace
|
|
type: string
|
|
- jsonPath: .status.state
|
|
name: status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
deprecated: true
|
|
name: v1beta1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: UpdateRequest is a request to process mutate and generate rules
|
|
in background.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ResourceSpec is the information to identify the trigger resource.
|
|
properties:
|
|
context:
|
|
description: Context ...
|
|
properties:
|
|
admissionRequestInfo:
|
|
description: AdmissionRequestInfoObject stores the admission request
|
|
and operation details
|
|
properties:
|
|
admissionRequest:
|
|
description: AdmissionRequest describes the admission.Attributes
|
|
for the admission request.
|
|
properties:
|
|
dryRun:
|
|
description: |-
|
|
DryRun indicates that modifications will definitely not be persisted for this request.
|
|
Defaults to false.
|
|
type: boolean
|
|
kind:
|
|
description: Kind is the fully-qualified type of object
|
|
being submitted (for example, v1.Pod or autoscaling.v1.Scale)
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- version
|
|
type: object
|
|
name:
|
|
description: |-
|
|
Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
|
|
rely on the server to generate the name. If that is the case, this field will contain an empty string.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the namespace associated with
|
|
the request (if any).
|
|
type: string
|
|
object:
|
|
description: Object is the object from the incoming request.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
oldObject:
|
|
description: OldObject is the existing object. Only populated
|
|
for DELETE and UPDATE requests.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operation:
|
|
description: |-
|
|
Operation is the operation being performed. This may be different than the operation
|
|
requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
|
|
type: string
|
|
options:
|
|
description: |-
|
|
Options is the operation option structure of the operation being performed.
|
|
e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
|
|
different than the options the caller provided. e.g. for a patch request the performed
|
|
Operation might be a CREATE, in which case the Options will a
|
|
`meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
requestKind:
|
|
description: |-
|
|
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
|
|
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
|
|
|
|
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
|
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
|
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
|
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
|
|
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
|
|
|
|
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- version
|
|
type: object
|
|
requestResource:
|
|
description: |-
|
|
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
|
|
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
|
|
|
|
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
|
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
|
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
|
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
|
|
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
|
|
|
|
See documentation for the "matchPolicy" field in the webhook configuration type.
|
|
properties:
|
|
group:
|
|
type: string
|
|
resource:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- resource
|
|
- version
|
|
type: object
|
|
requestSubResource:
|
|
description: |-
|
|
RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
|
|
If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
|
|
See documentation for the "matchPolicy" field in the webhook configuration type.
|
|
type: string
|
|
resource:
|
|
description: Resource is the fully-qualified resource
|
|
being requested (for example, v1.pods)
|
|
properties:
|
|
group:
|
|
type: string
|
|
resource:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- resource
|
|
- version
|
|
type: object
|
|
subResource:
|
|
description: SubResource is the subresource being requested,
|
|
if any (for example, "status" or "scale")
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
|
|
otherwise identical (parallel requests, requests when earlier requests did not modify etc)
|
|
The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
|
|
It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
|
|
type: string
|
|
userInfo:
|
|
description: UserInfo is information about the requesting
|
|
user
|
|
properties:
|
|
extra:
|
|
additionalProperties:
|
|
description: ExtraValue masks the value so protobuf
|
|
can generate
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Any additional information provided by
|
|
the authenticator.
|
|
type: object
|
|
groups:
|
|
description: The names of groups this user is a part
|
|
of.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
uid:
|
|
description: |-
|
|
A unique value that identifies this user across time. If this user is
|
|
deleted and another user by the same name is added, they will have
|
|
different UIDs.
|
|
type: string
|
|
username:
|
|
description: The name that uniquely identifies this
|
|
user among all active users.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- kind
|
|
- operation
|
|
- resource
|
|
- uid
|
|
- userInfo
|
|
type: object
|
|
operation:
|
|
description: Operation is the type of resource operation being
|
|
checked for admission control
|
|
type: string
|
|
type: object
|
|
userInfo:
|
|
description: RequestInfo contains permission info carried in an
|
|
admission request.
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is a list of possible clusterRoles
|
|
send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is a list of possible role send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
userInfo:
|
|
description: UserInfo is the userInfo carried in the admission
|
|
request.
|
|
properties:
|
|
extra:
|
|
additionalProperties:
|
|
description: ExtraValue masks the value so protobuf
|
|
can generate
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Any additional information provided by the
|
|
authenticator.
|
|
type: object
|
|
groups:
|
|
description: The names of groups this user is a part of.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
uid:
|
|
description: |-
|
|
A unique value that identifies this user across time. If this user is
|
|
deleted and another user by the same name is added, they will have
|
|
different UIDs.
|
|
type: string
|
|
username:
|
|
description: The name that uniquely identifies this user
|
|
among all active users.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
deleteDownstream:
|
|
description: DeleteDownstream represents whether the downstream needs
|
|
to be deleted.
|
|
type: boolean
|
|
policy:
|
|
description: Specifies the name of the policy.
|
|
type: string
|
|
requestType:
|
|
description: Type represents request type for background processing
|
|
enum:
|
|
- mutate
|
|
- generate
|
|
type: string
|
|
resource:
|
|
description: ResourceSpec is the information to identify the trigger
|
|
resource.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
rule:
|
|
description: Rule is the associate rule name of the current UR.
|
|
type: string
|
|
synchronize:
|
|
description: |-
|
|
Synchronize represents the sync behavior of the corresponding rule
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
required:
|
|
- context
|
|
- deleteDownstream
|
|
- policy
|
|
- resource
|
|
- rule
|
|
type: object
|
|
status:
|
|
description: Status contains statistics related to update request.
|
|
properties:
|
|
generatedResources:
|
|
description: |-
|
|
This will track the resources that are updated by the generate Policy.
|
|
Will be used during clean up resources.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
handler:
|
|
description: Deprecated
|
|
type: string
|
|
message:
|
|
description: Specifies request status message.
|
|
type: string
|
|
retryCount:
|
|
type: integer
|
|
state:
|
|
description: State represents state of the update request.
|
|
type: string
|
|
required:
|
|
- state
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.policy
|
|
name: Policy
|
|
type: string
|
|
- jsonPath: .spec.requestType
|
|
name: RuleType
|
|
type: string
|
|
- jsonPath: .spec.resource.kind
|
|
name: ResourceKind
|
|
type: string
|
|
- jsonPath: .spec.resource.name
|
|
name: ResourceName
|
|
type: string
|
|
- jsonPath: .spec.resource.namespace
|
|
name: ResourceNamespace
|
|
type: string
|
|
- jsonPath: .status.state
|
|
name: status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: UpdateRequest is a request to process mutate and generate rules
|
|
in background.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ResourceSpec is the information to identify the trigger resource.
|
|
properties:
|
|
context:
|
|
description: |-
|
|
Context represents admission request context.
|
|
It is used upon admission review only and is shared across rules within the same UR.
|
|
properties:
|
|
admissionRequestInfo:
|
|
description: AdmissionRequestInfoObject stores the admission request
|
|
and operation details
|
|
properties:
|
|
admissionRequest:
|
|
description: AdmissionRequest describes the admission.Attributes
|
|
for the admission request.
|
|
properties:
|
|
dryRun:
|
|
description: |-
|
|
DryRun indicates that modifications will definitely not be persisted for this request.
|
|
Defaults to false.
|
|
type: boolean
|
|
kind:
|
|
description: Kind is the fully-qualified type of object
|
|
being submitted (for example, v1.Pod or autoscaling.v1.Scale)
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- version
|
|
type: object
|
|
name:
|
|
description: |-
|
|
Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
|
|
rely on the server to generate the name. If that is the case, this field will contain an empty string.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the namespace associated with
|
|
the request (if any).
|
|
type: string
|
|
object:
|
|
description: Object is the object from the incoming request.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
oldObject:
|
|
description: OldObject is the existing object. Only populated
|
|
for DELETE and UPDATE requests.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
operation:
|
|
description: |-
|
|
Operation is the operation being performed. This may be different than the operation
|
|
requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
|
|
type: string
|
|
options:
|
|
description: |-
|
|
Options is the operation option structure of the operation being performed.
|
|
e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
|
|
different than the options the caller provided. e.g. for a patch request the performed
|
|
Operation might be a CREATE, in which case the Options will a
|
|
`meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
requestKind:
|
|
description: |-
|
|
RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
|
|
If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
|
|
|
|
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
|
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
|
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
|
with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
|
|
and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
|
|
|
|
See documentation for the "matchPolicy" field in the webhook configuration type for more details.
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
- version
|
|
type: object
|
|
requestResource:
|
|
description: |-
|
|
RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
|
|
If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
|
|
|
|
For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
|
|
`apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
|
|
an API request to apps/v1beta1 deployments would be converted and sent to the webhook
|
|
with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
|
|
and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
|
|
|
|
See documentation for the "matchPolicy" field in the webhook configuration type.
|
|
properties:
|
|
group:
|
|
type: string
|
|
resource:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- resource
|
|
- version
|
|
type: object
|
|
requestSubResource:
|
|
description: |-
|
|
RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
|
|
If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
|
|
See documentation for the "matchPolicy" field in the webhook configuration type.
|
|
type: string
|
|
resource:
|
|
description: Resource is the fully-qualified resource
|
|
being requested (for example, v1.pods)
|
|
properties:
|
|
group:
|
|
type: string
|
|
resource:
|
|
type: string
|
|
version:
|
|
type: string
|
|
required:
|
|
- group
|
|
- resource
|
|
- version
|
|
type: object
|
|
subResource:
|
|
description: SubResource is the subresource being requested,
|
|
if any (for example, "status" or "scale")
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
|
|
otherwise identical (parallel requests, requests when earlier requests did not modify etc)
|
|
The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
|
|
It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
|
|
type: string
|
|
userInfo:
|
|
description: UserInfo is information about the requesting
|
|
user
|
|
properties:
|
|
extra:
|
|
additionalProperties:
|
|
description: ExtraValue masks the value so protobuf
|
|
can generate
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Any additional information provided by
|
|
the authenticator.
|
|
type: object
|
|
groups:
|
|
description: The names of groups this user is a part
|
|
of.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
uid:
|
|
description: |-
|
|
A unique value that identifies this user across time. If this user is
|
|
deleted and another user by the same name is added, they will have
|
|
different UIDs.
|
|
type: string
|
|
username:
|
|
description: The name that uniquely identifies this
|
|
user among all active users.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- kind
|
|
- operation
|
|
- resource
|
|
- uid
|
|
- userInfo
|
|
type: object
|
|
operation:
|
|
description: Operation is the type of resource operation being
|
|
checked for admission control
|
|
type: string
|
|
type: object
|
|
userInfo:
|
|
description: RequestInfo contains permission info carried in an
|
|
admission request.
|
|
properties:
|
|
clusterRoles:
|
|
description: ClusterRoles is a list of possible clusterRoles
|
|
send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is a list of possible role send the request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
userInfo:
|
|
description: UserInfo is the userInfo carried in the admission
|
|
request.
|
|
properties:
|
|
extra:
|
|
additionalProperties:
|
|
description: ExtraValue masks the value so protobuf
|
|
can generate
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Any additional information provided by the
|
|
authenticator.
|
|
type: object
|
|
groups:
|
|
description: The names of groups this user is a part of.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
uid:
|
|
description: |-
|
|
A unique value that identifies this user across time. If this user is
|
|
deleted and another user by the same name is added, they will have
|
|
different UIDs.
|
|
type: string
|
|
username:
|
|
description: The name that uniquely identifies this user
|
|
among all active users.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
deleteDownstream:
|
|
description: |-
|
|
DeleteDownstream represents whether the downstream needs to be deleted.
|
|
Deprecated
|
|
type: boolean
|
|
policy:
|
|
description: Specifies the name of the policy.
|
|
type: string
|
|
requestType:
|
|
description: Type represents request type for background processing
|
|
enum:
|
|
- mutate
|
|
- generate
|
|
type: string
|
|
resource:
|
|
description: ResourceSpec is the information to identify the trigger
|
|
resource.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
rule:
|
|
description: Rule is the associate rule name of the current UR.
|
|
type: string
|
|
ruleContext:
|
|
description: |-
|
|
RuleContext is the associate context to apply rules.
|
|
optional
|
|
items:
|
|
properties:
|
|
deleteDownstream:
|
|
description: DeleteDownstream represents whether the downstream
|
|
needs to be deleted.
|
|
type: boolean
|
|
rule:
|
|
description: Rule is the associate rule name of the current
|
|
UR.
|
|
type: string
|
|
synchronize:
|
|
description: |-
|
|
Synchronize represents the sync behavior of the corresponding rule
|
|
Optional. Defaults to "false" if not specified.
|
|
type: boolean
|
|
trigger:
|
|
description: ResourceSpec is the information to identify the
|
|
trigger resource.
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- deleteDownstream
|
|
- rule
|
|
- trigger
|
|
type: object
|
|
type: array
|
|
synchronize:
|
|
description: |-
|
|
Synchronize represents the sync behavior of the corresponding rule
|
|
Optional. Defaults to "false" if not specified.
|
|
Deprecated, will be removed in 1.14.
|
|
type: boolean
|
|
required:
|
|
- context
|
|
- deleteDownstream
|
|
- policy
|
|
- resource
|
|
- rule
|
|
type: object
|
|
status:
|
|
description: Status contains statistics related to update request.
|
|
properties:
|
|
generatedResources:
|
|
description: |-
|
|
This will track the resources that are updated by the generate Policy.
|
|
Will be used during clean up resources.
|
|
items:
|
|
properties:
|
|
apiVersion:
|
|
description: APIVersion specifies resource apiVersion.
|
|
type: string
|
|
kind:
|
|
description: Kind specifies resource kind.
|
|
type: string
|
|
name:
|
|
description: Name specifies the resource name.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies resource namespace.
|
|
type: string
|
|
uid:
|
|
description: UID specifies the resource uid.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
message:
|
|
description: Specifies request status message.
|
|
type: string
|
|
retryCount:
|
|
type: integer
|
|
state:
|
|
description: State represents state of the update request.
|
|
type: string
|
|
required:
|
|
- state
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: clusterephemeralreports.reports.kyverno.io
|
|
spec:
|
|
group: reports.kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: ClusterEphemeralReport
|
|
listKind: ClusterEphemeralReportList
|
|
plural: clusterephemeralreports
|
|
shortNames:
|
|
- cephr
|
|
singular: clusterephemeralreport
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/source']
|
|
name: Source
|
|
type: string
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group']
|
|
name: Group
|
|
type: string
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind']
|
|
name: Kind
|
|
type: string
|
|
- jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name']
|
|
name: Owner
|
|
type: string
|
|
- jsonPath: .spec.summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .spec.summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .spec.summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .spec.summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .spec.summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid']
|
|
name: Uid
|
|
type: string
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
|
|
name: Hash
|
|
priority: 1
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
owner:
|
|
description: Owner is a reference to the report owner (e.g. a Deployment,
|
|
Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
blockOwnerDeletion:
|
|
description: |-
|
|
If true, AND if the owner has the "foregroundDeletion" finalizer, then
|
|
the owner cannot be deleted from the key-value store until this
|
|
reference is removed.
|
|
See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
|
|
for how the garbage collector interacts with this field and enforces the foreground deletion.
|
|
Defaults to false.
|
|
To set this field, a user needs "delete" permission of the owner,
|
|
otherwise 422 (Unprocessable Entity) will be returned.
|
|
type: boolean
|
|
controller:
|
|
description: If true, this reference points to the managing controller.
|
|
type: boolean
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
|
|
type: string
|
|
required:
|
|
- apiVersion
|
|
- kind
|
|
- name
|
|
- uid
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Description is a short user friendly message for
|
|
the policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name or identifier of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for
|
|
the policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: |-
|
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
|
For example, a policy result may apply to all pods that match a label.
|
|
Either a Subject or a SubjectSelector can be specified.
|
|
If neither are provided, the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
resources:
|
|
description: Subjects is an optional reference to the checked
|
|
Kubernetes resources
|
|
items:
|
|
description: ObjectReference contains enough information to
|
|
let you inspect or modify the referred object.
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: |-
|
|
If referring to a piece of an object instead of an entire object, this string
|
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
|
referencing a part of an object.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
type: string
|
|
resourceVersion:
|
|
description: |-
|
|
Specific resourceVersion to which this reference is made, if any.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule
|
|
execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name or identifier of the rule within
|
|
the policy
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this result is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy check result criticality
|
|
enum:
|
|
- critical
|
|
- high
|
|
- low
|
|
- medium
|
|
- info
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: |-
|
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
|
second values with fractions must still have non-negative nanos values
|
|
that count forward in time. Must be from 0 to 999,999,999
|
|
inclusive. This field may be limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: |-
|
|
Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not
|
|
be evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not
|
|
selected for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of non-scored policies whose
|
|
requirements were not met
|
|
type: integer
|
|
type: object
|
|
required:
|
|
- owner
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: ephemeralreports.reports.kyverno.io
|
|
spec:
|
|
group: reports.kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: EphemeralReport
|
|
listKind: EphemeralReportList
|
|
plural: ephemeralreports
|
|
shortNames:
|
|
- ephr
|
|
singular: ephemeralreport
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/source']
|
|
name: Source
|
|
type: string
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group']
|
|
name: Group
|
|
type: string
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind']
|
|
name: Kind
|
|
type: string
|
|
- jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name']
|
|
name: Owner
|
|
type: string
|
|
- jsonPath: .spec.summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .spec.summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .spec.summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .spec.summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .spec.summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid']
|
|
name: Uid
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
|
|
name: Hash
|
|
priority: 1
|
|
type: string
|
|
name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: EphemeralReport is the Schema for the EphemeralReports API
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
owner:
|
|
description: Owner is a reference to the report owner (e.g. a Deployment,
|
|
Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
blockOwnerDeletion:
|
|
description: |-
|
|
If true, AND if the owner has the "foregroundDeletion" finalizer, then
|
|
the owner cannot be deleted from the key-value store until this
|
|
reference is removed.
|
|
See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
|
|
for how the garbage collector interacts with this field and enforces the foreground deletion.
|
|
Defaults to false.
|
|
To set this field, a user needs "delete" permission of the owner,
|
|
otherwise 422 (Unprocessable Entity) will be returned.
|
|
type: boolean
|
|
controller:
|
|
description: If true, this reference points to the managing controller.
|
|
type: boolean
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
|
|
type: string
|
|
required:
|
|
- apiVersion
|
|
- kind
|
|
- name
|
|
- uid
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Description is a short user friendly message for
|
|
the policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name or identifier of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for
|
|
the policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: |-
|
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
|
For example, a policy result may apply to all pods that match a label.
|
|
Either a Subject or a SubjectSelector can be specified.
|
|
If neither are provided, the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
resources:
|
|
description: Subjects is an optional reference to the checked
|
|
Kubernetes resources
|
|
items:
|
|
description: ObjectReference contains enough information to
|
|
let you inspect or modify the referred object.
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: |-
|
|
If referring to a piece of an object instead of an entire object, this string
|
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
|
referencing a part of an object.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
type: string
|
|
resourceVersion:
|
|
description: |-
|
|
Specific resourceVersion to which this reference is made, if any.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule
|
|
execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name or identifier of the rule within
|
|
the policy
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this result is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy check result criticality
|
|
enum:
|
|
- critical
|
|
- high
|
|
- low
|
|
- medium
|
|
- info
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: |-
|
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
|
second values with fractions must still have non-negative nanos values
|
|
that count forward in time. Must be from 0 to 999,999,999
|
|
inclusive. This field may be limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: |-
|
|
Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not
|
|
be evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not
|
|
selected for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of non-scored policies whose
|
|
requirements were not met
|
|
type: integer
|
|
type: object
|
|
required:
|
|
- owner
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: clusterpolicyreports.wgpolicyk8s.io
|
|
spec:
|
|
group: wgpolicyk8s.io
|
|
names:
|
|
kind: ClusterPolicyReport
|
|
listKind: ClusterPolicyReportList
|
|
plural: clusterpolicyreports
|
|
shortNames:
|
|
- cpolr
|
|
singular: clusterpolicyreport
|
|
scope: Cluster
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .scope.kind
|
|
name: Kind
|
|
type: string
|
|
- jsonPath: .scope.name
|
|
name: Name
|
|
type: string
|
|
- jsonPath: .summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ClusterPolicyReport is the Schema for the clusterpolicyreports
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Description is a short user friendly message for the
|
|
policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name or identifier of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for the
|
|
policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: |-
|
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
|
For example, a policy result may apply to all pods that match a label.
|
|
Either a Subject or a SubjectSelector can be specified.
|
|
If neither are provided, the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
resources:
|
|
description: Subjects is an optional reference to the checked Kubernetes
|
|
resources
|
|
items:
|
|
description: ObjectReference contains enough information to let
|
|
you inspect or modify the referred object.
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: |-
|
|
If referring to a piece of an object instead of an entire object, this string
|
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
|
referencing a part of an object.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
type: string
|
|
resourceVersion:
|
|
description: |-
|
|
Specific resourceVersion to which this reference is made, if any.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name or identifier of the rule within the
|
|
policy
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this result is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy check result criticality
|
|
enum:
|
|
- critical
|
|
- high
|
|
- low
|
|
- medium
|
|
- info
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: |-
|
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
|
second values with fractions must still have non-negative nanos values
|
|
that count forward in time. Must be from 0 to 999,999,999
|
|
inclusive. This field may be limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: |-
|
|
Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
scope:
|
|
description: Scope is an optional reference to the report scope (e.g.
|
|
a Deployment, Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: |-
|
|
If referring to a piece of an object instead of an entire object, this string
|
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
|
referencing a part of an object.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
type: string
|
|
resourceVersion:
|
|
description: |-
|
|
Specific resourceVersion to which this reference is made, if any.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
scopeSelector:
|
|
description: |-
|
|
ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not be
|
|
evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not selected
|
|
for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of non-scored policies whose
|
|
requirements were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: crds
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/part-of: kyverno-crds
|
|
app.kubernetes.io/version: v0.0.0
|
|
helm.sh/chart: crds-v0.0.0
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.16.1
|
|
name: policyreports.wgpolicyk8s.io
|
|
spec:
|
|
group: wgpolicyk8s.io
|
|
names:
|
|
kind: PolicyReport
|
|
listKind: PolicyReportList
|
|
plural: policyreports
|
|
shortNames:
|
|
- polr
|
|
singular: policyreport
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .scope.kind
|
|
name: Kind
|
|
type: string
|
|
- jsonPath: .scope.name
|
|
name: Name
|
|
type: string
|
|
- jsonPath: .summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: PolicyReport is the Schema for the policyreports API
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Description is a short user friendly message for the
|
|
policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name or identifier of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for the
|
|
policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: |-
|
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
|
For example, a policy result may apply to all pods that match a label.
|
|
Either a Subject or a SubjectSelector can be specified.
|
|
If neither are provided, the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
resources:
|
|
description: Subjects is an optional reference to the checked Kubernetes
|
|
resources
|
|
items:
|
|
description: ObjectReference contains enough information to let
|
|
you inspect or modify the referred object.
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: |-
|
|
If referring to a piece of an object instead of an entire object, this string
|
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
|
referencing a part of an object.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
type: string
|
|
resourceVersion:
|
|
description: |-
|
|
Specific resourceVersion to which this reference is made, if any.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name or identifier of the rule within the
|
|
policy
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this result is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy check result criticality
|
|
enum:
|
|
- critical
|
|
- high
|
|
- low
|
|
- medium
|
|
- info
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: |-
|
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
|
second values with fractions must still have non-negative nanos values
|
|
that count forward in time. Must be from 0 to 999,999,999
|
|
inclusive. This field may be limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: |-
|
|
Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
scope:
|
|
description: Scope is an optional reference to the report scope (e.g.
|
|
a Deployment, Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: |-
|
|
If referring to a piece of an object instead of an entire object, this string
|
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
|
referencing a part of an object.
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind of the referent.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
type: string
|
|
namespace:
|
|
description: |-
|
|
Namespace of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
type: string
|
|
resourceVersion:
|
|
description: |-
|
|
Specific resourceVersion to which this reference is made, if any.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
|
type: string
|
|
uid:
|
|
description: |-
|
|
UID of the referent.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
scopeSelector:
|
|
description: |-
|
|
ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
|
|
Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not be
|
|
evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not selected
|
|
for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of non-scored policies whose
|
|
requirements were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:admission-controller
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
aggregationRule:
|
|
clusterRoleSelectors:
|
|
- matchLabels:
|
|
rbac.kyverno.io/aggregate-to-admission-controller: "true"
|
|
- matchLabels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:admission-controller:core
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rules:
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- admissionregistration.k8s.io
|
|
resources:
|
|
- mutatingwebhookconfigurations
|
|
- validatingwebhookconfigurations
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- rbac.authorization.k8s.io
|
|
resources:
|
|
- roles
|
|
- clusterroles
|
|
- rolebindings
|
|
- clusterrolebindings
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- policies
|
|
- policies/status
|
|
- clusterpolicies
|
|
- clusterpolicies/status
|
|
- updaterequests
|
|
- updaterequests/status
|
|
- globalcontextentries
|
|
- globalcontextentries/status
|
|
- policyexceptions
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- reports.kyverno.io
|
|
resources:
|
|
- ephemeralreports
|
|
- clusterephemeralreports
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- wgpolicyk8s.io
|
|
resources:
|
|
- policyreports
|
|
- policyreports/status
|
|
- clusterpolicyreports
|
|
- clusterpolicyreports/status
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- ''
|
|
- events.k8s.io
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- apiGroups:
|
|
- authorization.k8s.io
|
|
resources:
|
|
- subjectaccessreviews
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:background-controller
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
aggregationRule:
|
|
clusterRoleSelectors:
|
|
- matchLabels:
|
|
rbac.kyverno.io/aggregate-to-background-controller: "true"
|
|
- matchLabels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:background-controller:core
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rules:
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- policies
|
|
- policies/status
|
|
- clusterpolicies
|
|
- clusterpolicies/status
|
|
- policyexceptions
|
|
- updaterequests
|
|
- updaterequests/status
|
|
- globalcontextentries
|
|
- globalcontextentries/status
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- namespaces
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ''
|
|
- events.k8s.io
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
- ingressclasses
|
|
- networkpolicies
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- rbac.authorization.k8s.io
|
|
resources:
|
|
- rolebindings
|
|
- roles
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
- resourcequotas
|
|
- limitranges
|
|
verbs:
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:cleanup-controller
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
aggregationRule:
|
|
clusterRoleSelectors:
|
|
- matchLabels:
|
|
rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
|
|
- matchLabels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:cleanup-controller:core
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rules:
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- admissionregistration.k8s.io
|
|
resources:
|
|
- validatingwebhookconfigurations
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- clustercleanuppolicies
|
|
- cleanuppolicies
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- globalcontextentries
|
|
- globalcontextentries/status
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- clustercleanuppolicies/status
|
|
- cleanuppolicies/status
|
|
verbs:
|
|
- update
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ''
|
|
- events.k8s.io
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
- update
|
|
- apiGroups:
|
|
- authorization.k8s.io
|
|
resources:
|
|
- subjectaccessreviews
|
|
verbs:
|
|
- create
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:admin:policies
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- cleanuppolicies
|
|
- clustercleanuppolicies
|
|
- policies
|
|
- clusterpolicies
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:view:policies
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- cleanuppolicies
|
|
- clustercleanuppolicies
|
|
- policies
|
|
- clusterpolicies
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:admin:policyreports
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- wgpolicyk8s.io
|
|
resources:
|
|
- policyreports
|
|
- clusterpolicyreports
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:view:policyreports
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- wgpolicyk8s.io
|
|
resources:
|
|
- policyreports
|
|
- clusterpolicyreports
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:admin:reports
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- reports.kyverno.io
|
|
resources:
|
|
- ephemeralreports
|
|
- clusterephemeralreports
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:view:reports
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- reports.kyverno.io
|
|
resources:
|
|
- ephemeralreports
|
|
- clusterephemeralreports
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:admin:updaterequests
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- updaterequests
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:rbac:view:updaterequests
|
|
labels:
|
|
app.kubernetes.io/component: rbac
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- updaterequests
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:reports-controller
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
aggregationRule:
|
|
clusterRoleSelectors:
|
|
- matchLabels:
|
|
rbac.kyverno.io/aggregate-to-reports-controller: "true"
|
|
- matchLabels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kyverno:reports-controller:core
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rules:
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- kyverno.io
|
|
resources:
|
|
- globalcontextentries
|
|
- globalcontextentries/status
|
|
- policyexceptions
|
|
- policies
|
|
- clusterpolicies
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- reports.kyverno.io
|
|
resources:
|
|
- ephemeralreports
|
|
- clusterephemeralreports
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- wgpolicyk8s.io
|
|
resources:
|
|
- policyreports
|
|
- policyreports/status
|
|
- clusterpolicyreports
|
|
- clusterpolicyreports/status
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- deletecollection
|
|
- apiGroups:
|
|
- ''
|
|
- events.k8s.io
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- patch
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:admission-controller
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kyverno:admission-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-admission-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:admission-controller:view
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: view
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-admission-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:background-controller
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kyverno:background-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-background-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:background-controller:view
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: view
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-background-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:cleanup-controller
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kyverno:cleanup-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-cleanup-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:reports-controller
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: kyverno:reports-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-reports-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:reports-controller:view
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: view
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-reports-controller
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: kyverno:admission-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
- serviceaccounts
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- patch
|
|
- create
|
|
- update
|
|
- delete
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
resourceNames:
|
|
- kyverno
|
|
- kyverno-metrics
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- patch
|
|
- update
|
|
# Allow update of Kyverno deployment annotations
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: kyverno:background-controller
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
namespace: kyverno
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
resourceNames:
|
|
- kyverno
|
|
- kyverno-metrics
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- delete
|
|
- get
|
|
- patch
|
|
- update
|
|
resourceNames:
|
|
- kyverno-background-controller
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: kyverno:cleanup-controller
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
namespace: kyverno
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- delete
|
|
- get
|
|
- list
|
|
- update
|
|
- watch
|
|
resourceNames:
|
|
- kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
|
|
- kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
resourceNames:
|
|
- kyverno
|
|
- kyverno-metrics
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- delete
|
|
- get
|
|
- patch
|
|
- update
|
|
resourceNames:
|
|
- kyverno-cleanup-controller
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: kyverno:reports-controller
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
namespace: kyverno
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
resourceNames:
|
|
- kyverno
|
|
- kyverno-metrics
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- delete
|
|
- get
|
|
- patch
|
|
- update
|
|
resourceNames:
|
|
- kyverno-reports-controller
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:admission-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: kyverno:admission-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-admission-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:background-controller
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
namespace: kyverno
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: kyverno:background-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-background-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:cleanup-controller
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
namespace: kyverno
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: kyverno:cleanup-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-cleanup-controller
|
|
namespace: kyverno
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: kyverno:reports-controller
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
namespace: kyverno
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: kyverno:reports-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-reports-controller
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kyverno-svc
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
ports:
|
|
- port: 443
|
|
targetPort: https
|
|
protocol: TCP
|
|
name: https
|
|
appProtocol: https
|
|
selector:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kyverno-svc-metrics
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
ports:
|
|
- port: 8000
|
|
targetPort: 8000
|
|
protocol: TCP
|
|
name: metrics-port
|
|
selector:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kyverno-background-controller-metrics
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
ports:
|
|
- port: 8000
|
|
targetPort: 8000
|
|
protocol: TCP
|
|
name: metrics-port
|
|
selector:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kyverno-cleanup-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
ports:
|
|
- port: 443
|
|
targetPort: https
|
|
protocol: TCP
|
|
name: https
|
|
appProtocol: https
|
|
selector:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kyverno-cleanup-controller-metrics
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
ports:
|
|
- port: 8000
|
|
targetPort: 8000
|
|
protocol: TCP
|
|
name: metrics-port
|
|
selector:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: kyverno-reports-controller-metrics
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
ports:
|
|
- port: 8000
|
|
targetPort: 8000
|
|
protocol: TCP
|
|
name: metrics-port
|
|
selector:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kyverno-admission-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
replicas:
|
|
revisionHistoryLimit: 10
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 40%
|
|
type: RollingUpdate
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
dnsPolicy: ClusterFirst
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/component
|
|
operator: In
|
|
values:
|
|
- admission-controller
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 1
|
|
serviceAccountName: kyverno-admission-controller
|
|
initContainers:
|
|
- name: kyverno-pre
|
|
image: "ghcr.io/kyverno/kyvernopre:latest"
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
env:
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-admission-controller
|
|
- name: KYVERNO_ROLE_NAME
|
|
value: kyverno:admission-controller
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-admission-controller
|
|
- name: KYVERNO_SVC
|
|
value: kyverno-svc
|
|
containers:
|
|
- name: kyverno
|
|
image: "ghcr.io/kyverno/kyverno:latest"
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
|
|
- --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
|
|
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
|
|
- --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller
|
|
- --servicePort=443
|
|
- --webhookServerPort=9443
|
|
- --disableMetrics=false
|
|
- --otelConfig=prometheus
|
|
- --metricsPort=8000
|
|
- --admissionReports=true
|
|
- --maxAdmissionReports=1000
|
|
- --autoUpdateWebhooks=true
|
|
- --enableConfigMapCaching=true
|
|
- --enableDeferredLoading=true
|
|
- --dumpPayload=false
|
|
- --forceFailurePolicyIgnore=false
|
|
- --generateValidatingAdmissionPolicy=false
|
|
- --maxAPICallResponseLength=2000000
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
- --omitEvents=PolicyApplied,PolicySkipped
|
|
- --enablePolicyException=true
|
|
- --protectManagedResources=false
|
|
- --allowInsecureRegistry=false
|
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
|
|
|
resources:
|
|
limits:
|
|
memory: 384Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics-port
|
|
protocol: TCP
|
|
|
|
env:
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-admission-controller
|
|
- name: KYVERNO_ROLE_NAME
|
|
value: kyverno:admission-controller
|
|
- name: KYVERNO_SVC
|
|
value: kyverno-svc
|
|
- name: TUF_ROOT
|
|
value: /.sigstore
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-admission-controller
|
|
startupProbe:
|
|
failureThreshold: 20
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 2
|
|
periodSeconds: 6
|
|
livenessProbe:
|
|
failureThreshold: 2
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
failureThreshold: 6
|
|
httpGet:
|
|
path: /health/readiness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
volumeMounts:
|
|
- mountPath: /.sigstore
|
|
name: sigstore
|
|
volumes:
|
|
- name: sigstore
|
|
emptyDir: {}
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kyverno-background-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
replicas:
|
|
revisionHistoryLimit: 10
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 40%
|
|
type: RollingUpdate
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: background-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
dnsPolicy: ClusterFirst
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/component
|
|
operator: In
|
|
values:
|
|
- background-controller
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 1
|
|
serviceAccountName: kyverno-background-controller
|
|
containers:
|
|
- name: controller
|
|
image: "ghcr.io/kyverno/background-controller:latest"
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics
|
|
protocol: TCP
|
|
|
|
args:
|
|
- --disableMetrics=false
|
|
- --otelConfig=prometheus
|
|
- --metricsPort=8000
|
|
- --enableConfigMapCaching=true
|
|
- --enableDeferredLoading=true
|
|
- --maxAPICallResponseLength=2000000
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
- --omitEvents=PolicyApplied,PolicySkipped
|
|
- --enablePolicyException=true
|
|
|
|
env:
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-background-controller
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-background-controller
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
resources:
|
|
limits:
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 64Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kyverno-cleanup-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
replicas:
|
|
revisionHistoryLimit: 10
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 40%
|
|
type: RollingUpdate
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: cleanup-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
dnsPolicy: ClusterFirst
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/component
|
|
operator: In
|
|
values:
|
|
- cleanup-controller
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 1
|
|
serviceAccountName: kyverno-cleanup-controller
|
|
containers:
|
|
- name: controller
|
|
image: "ghcr.io/kyverno/cleanup-controller:latest"
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics
|
|
protocol: TCP
|
|
|
|
args:
|
|
- --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
|
|
- --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
|
|
- --servicePort=443
|
|
- --cleanupServerPort=9443
|
|
- --webhookServerPort=9443
|
|
- --disableMetrics=false
|
|
- --otelConfig=prometheus
|
|
- --metricsPort=8000
|
|
- --enableDeferredLoading=true
|
|
- --dumpPayload=false
|
|
- --maxAPICallResponseLength=2000000
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
- --protectManagedResources=false
|
|
- --ttlReconciliationInterval=1m
|
|
|
|
env:
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-cleanup-controller
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-cleanup-controller
|
|
- name: KYVERNO_ROLE_NAME
|
|
value: kyverno:cleanup-controller
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_SVC
|
|
value: kyverno-cleanup-controller
|
|
resources:
|
|
limits:
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 64Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
startupProbe:
|
|
failureThreshold: 20
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 2
|
|
periodSeconds: 6
|
|
livenessProbe:
|
|
failureThreshold: 2
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
failureThreshold: 6
|
|
httpGet:
|
|
path: /health/readiness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kyverno-reports-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
replicas:
|
|
revisionHistoryLimit: 10
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 40%
|
|
type: RollingUpdate
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: reports-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
dnsPolicy: ClusterFirst
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/component
|
|
operator: In
|
|
values:
|
|
- reports-controller
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 1
|
|
serviceAccountName: kyverno-reports-controller
|
|
containers:
|
|
- name: controller
|
|
image: "ghcr.io/kyverno/reports-controller:latest"
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics
|
|
protocol: TCP
|
|
|
|
args:
|
|
- --disableMetrics=false
|
|
- --otelConfig=prometheus
|
|
- --metricsPort=8000
|
|
- --admissionReports=true
|
|
- --aggregateReports=true
|
|
- --policyReports=true
|
|
- --validatingAdmissionPolicyReports=false
|
|
- --backgroundScan=true
|
|
- --backgroundScanWorkers=2
|
|
- --backgroundScanInterval=1h
|
|
- --skipResourceFilters=true
|
|
- --enableConfigMapCaching=true
|
|
- --enableDeferredLoading=true
|
|
- --maxAPICallResponseLength=2000000
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
- --omitEvents=PolicyApplied,PolicySkipped
|
|
- --enablePolicyException=true
|
|
- --allowInsecureRegistry=false
|
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
|
|
|
env:
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-reports-controller
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-reports-controller
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: TUF_ROOT
|
|
value: /.sigstore
|
|
resources:
|
|
limits:
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 64Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /.sigstore
|
|
name: sigstore
|
|
volumes:
|
|
- name: sigstore
|
|
emptyDir: {}
|