mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 01:46:55 +00:00
Code Activity
kyverno/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_celpolicyexceptions.yaml
Mariam Fahmy 9e8b655f6f
chore: add celpolicyexceptions in helm chart (#12084) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-02-05 00:15:45 +08:00

440 lines
23 KiB
YAML
Raw Blame History

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: celpolicyexceptions.kyverno.io
spec:
group: kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
plural: celpolicyexceptions
singular: celpolicyexception
scope: Namespaced
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
matchConditions:
description: MatchConditions is a list of CEL expressions that must
be met for a resource to be excluded.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
matchConstraints:
description: MatchConstraints is used to check if a resource applies
to the exception.
properties:
excludeResourceRules:
description: |-
ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
items:
description: NamedRuleWithOperations is a tuple of Operations
and Resources with ResourceNames.
properties:
apiGroups:
description: |-
APIGroups is the API groups the resources belong to. '*' is all groups.
If '*' is present, the length of the slice must be one.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
apiVersions:
description: |-
APIVersions is the API versions the resources belong to. '*' is all versions.
If '*' is present, the length of the slice must be one.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
operations:
description: |-
Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
for all of those operations and any future admission operations that are added.
If '*' is present, the length of the slice must be one.
Required.
items:
description: OperationType specifies an operation for
a request.
type: string
type: array
x-kubernetes-list-type: atomic
resourceNames:
description: ResourceNames is an optional white list of
names that the rule applies to. An empty set means that
everything is allowed.
items:
type: string
type: array
x-kubernetes-list-type: atomic
resources:
description: |-
Resources is a list of resources this rule applies to.
For example:
'pods' means pods.
'pods/log' means the log subresource of pods.
'*' means all resources, but not subresources.
'pods/*' means all subresources of pods.
'*/scale' means all scale subresources.
'*/*' means all resources and their subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
Depending on the enclosing object, subresources might not be allowed.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
scope:
description: |-
scope specifies the scope of this rule.
Valid values are "Cluster", "Namespaced", and "*"
"Cluster" means that only cluster-scoped resources will match this rule.
Namespace API objects are cluster-scoped.
"Namespaced" means that only namespaced resources will match this rule.
"*" means that there are no scope restrictions.
Subresources match the scope of their parent resource.
Default is "*".
type: string
type: object
x-kubernetes-map-type: atomic
type: array
x-kubernetes-list-type: atomic
matchPolicy:
description: |-
matchPolicy defines how the "MatchResources" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
- Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
Defaults to "Equivalent"
type: string
namespaceSelector:
description: |-
NamespaceSelector decides whether to run the admission control policy on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the policy.
For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:
"namespaceSelector": {
"matchExpressions": [
{
"key": "runlevel",
"operator": "NotIn",
"values": [
"0",
"1"
]
}
]
}
If instead you want to only run the policy on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:
"namespaceSelector": {
"matchExpressions": [
{
"key": "environment",
"operator": "In",
"values": [
"prod",
"staging"
]
}
]
}
See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
for more examples of label selectors.
Default to the empty LabelSelector, which matches everything.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
objectSelector:
description: |-
ObjectSelector decides whether to run the validation based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the cel validation, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resourceRules:
description: |-
ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
The policy cares about an operation if it matches _any_ Rule.
items:
description: NamedRuleWithOperations is a tuple of Operations
and Resources with ResourceNames.
properties:
apiGroups:
description: |-
APIGroups is the API groups the resources belong to. '*' is all groups.
If '*' is present, the length of the slice must be one.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
apiVersions:
description: |-
APIVersions is the API versions the resources belong to. '*' is all versions.
If '*' is present, the length of the slice must be one.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
operations:
description: |-
Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
for all of those operations and any future admission operations that are added.
If '*' is present, the length of the slice must be one.
Required.
items:
description: OperationType specifies an operation for
a request.
type: string
type: array
x-kubernetes-list-type: atomic
resourceNames:
description: ResourceNames is an optional white list of
names that the rule applies to. An empty set means that
everything is allowed.
items:
type: string
type: array
x-kubernetes-list-type: atomic
resources:
description: |-
Resources is a list of resources this rule applies to.
For example:
'pods' means pods.
'pods/log' means the log subresource of pods.
'*' means all resources, but not subresources.
'pods/*' means all subresources of pods.
'*/scale' means all scale subresources.
'*/*' means all resources and their subresources.
If wildcard is present, the validation rule will ensure resources do not
overlap with each other.
Depending on the enclosing object, subresources might not be allowed.
Required.
items:
type: string
type: array
x-kubernetes-list-type: atomic
scope:
description: |-
scope specifies the scope of this rule.
Valid values are "Cluster", "Namespaced", and "*"
"Cluster" means that only cluster-scoped resources will match this rule.
Namespace API objects are cluster-scoped.
"Namespaced" means that only namespaced resources will match this rule.
"*" means that there are no scope restrictions.
Subresources match the scope of their parent resource.
Default is "*".
type: string
type: object
x-kubernetes-map-type: atomic
type: array
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
policyRefs:
description: PolicyRefs identifies the policies to which the exception
is applied.
items:
properties:
kind:
description: Kind is the kind of the policy
type: string
name:
description: Name is the name of the policy
type: string
required:
- kind
- name
type: object
type: array
required:
- matchConstraints
- policyRefs
type: object
required:
- spec
type: object
served: true
storage: true
View git blame Copy permalink