mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 09:26:54 +00:00
Code Activity
kyverno/config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml
Mariam Fahmy 7d5750a717
chore: move celexceptions to the new group (#12143) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-11 19:05:22 +02:00

106 lines
4.8 KiB
YAML
Raw Blame History

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: celpolicyexceptions.policies.kyverno.io
spec:
group: policies.kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
plural: celpolicyexceptions
singular: celpolicyexception
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
matchConditions:
description: MatchConditions is a list of CEL expressions that must
be met for a resource to be excluded.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
policyRefs:
description: PolicyRefs identifies the policies to which the exception
is applied.
items:
properties:
kind:
description: Kind is the kind of the policy
type: string
name:
description: Name is the name of the policy
type: string
required:
- kind
- name
type: object
type: array
required:
- policyRefs
type: object
required:
- spec
type: object
served: true
storage: true
View git blame Copy permalink