mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 01:16:55 +00:00
221c559247
* feat: cosign verifier for new image verifier crd Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12170) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.12 to 1.8.14. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.12...v1.8.14) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * feat: add MutatingPolicies CRD (#12150) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * README: fix markdown syntax (#12176) Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.1 to 0.20.2 (#12180) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.20.1...v0.20.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: cel policies nits (#12184) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * use serviceAccountName instead of deprecated serviceAccount (#12158) Signed-off-by: Francesco Ilario <filario@redhat.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12179) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.12 to 1.8.14. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.12...v1.8.14) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#12178) Bumps [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper) from 0.0.0-20241227172826-c97b94eac159 to 0.9.1. - [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases) - [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md) - [Commits](https://github.com/awslabs/amazon-ecr-credential-helper/commits/v0.9.1) --- updated-dependencies: - dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add notary verifier with tsa support (#12160) * feat: add notary repository Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add notary verifier Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: update types Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: codegen (#12195) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat(gctx): add jmespath caching through projections (#11833) feat(gctx): move ready check to runtime Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: publish codecov reports (#12197) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: format conformance.yaml workflow file (#12194) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: add result count for VPs in the CLI (#12193) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: implement functions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Francesco Ilario <filario@redhat.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Koichi Shiraishi <zchee.io@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Francesco Ilario <filario@redhat.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com>
905 lines
50 KiB
YAML
905 lines
50 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: (devel)
|
|
name: imageverificationpolicies.policies.kyverno.io
|
|
spec:
|
|
group: policies.kyverno.io
|
|
names:
|
|
categories:
|
|
- kyverno
|
|
kind: ImageVerificationPolicy
|
|
listKind: ImageVerificationPolicyList
|
|
plural: imageverificationpolicies
|
|
shortNames:
|
|
- ivpol
|
|
singular: imageverificationpolicy
|
|
scope: Cluster
|
|
versions:
|
|
- name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ImageVerificationPolicySpec is the specification of the desired
|
|
behavior of the ImageVerificationPolicy.
|
|
properties:
|
|
attestations:
|
|
description: Attestations provides a list of image metadata to verify
|
|
items:
|
|
description: Attestation defines the identification details of the metadata
|
|
that has to be verified
|
|
properties:
|
|
intoto:
|
|
description: InToto defines the details of attestation attached
|
|
using intoto format
|
|
properties:
|
|
type:
|
|
description: Type defines the type of attestation contained
|
|
within the statement.
|
|
type: string
|
|
required:
|
|
- type
|
|
type: object
|
|
name:
|
|
description: Name is the name for this attestation. It is used
|
|
to refer to the attestation in verification
|
|
type: string
|
|
referrer:
|
|
description: Referrer defines the details of attestation attached
|
|
using OCI 1.1 format
|
|
properties:
|
|
type:
|
|
description: Type defines the type of attestation attached
|
|
to the image.
|
|
type: string
|
|
required:
|
|
- type
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
attestors:
|
|
description: Attestors provides a list of trusted authorities.
|
|
items:
|
|
description: Attestor is an identity that confirms or verifies the
|
|
authenticity of an image or an attestation
|
|
properties:
|
|
cosign:
|
|
description: Cosign defines attestor configuration for Cosign
|
|
based signatures
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
Annotations are used for image verification.
|
|
Every specified key-value pair must exist and match in the verified payload.
|
|
The payload may contain other key-value pairs.
|
|
type: object
|
|
certificate:
|
|
description: Certificate defines the configuration for local
|
|
signature verification
|
|
properties:
|
|
cert:
|
|
description: Certificate is the to the public certificate
|
|
for local signature verification.
|
|
type: string
|
|
certChain:
|
|
description: |-
|
|
CertificateChain is the list of CA certificates in PEM format which will be needed
|
|
when building the certificate chain for the signing certificate. Must start with the
|
|
parent intermediate CA certificate of the signing certificate and end with the root certificate
|
|
type: string
|
|
type: object
|
|
ctlog:
|
|
description: CTLog sets the configuration to verify the
|
|
authority against a Rekor instance.
|
|
properties:
|
|
ctLogPubKey:
|
|
description: CTLogPubKey, if set, is used to validate
|
|
SCTs against a custom source.
|
|
type: string
|
|
insecureIgnoreSCT:
|
|
description: |-
|
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
|
|
timestamp. Default is false. Set to true if this was opted out during signing.
|
|
type: boolean
|
|
insecureIgnoreTlog:
|
|
description: InsecureIgnoreTlog skips transparency log
|
|
verification.
|
|
type: boolean
|
|
rekorPubKey:
|
|
description: |-
|
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
|
|
If set, this will be used to validate transparency log signatures from a custom Rekor.
|
|
type: string
|
|
tsaCertChain:
|
|
description: |-
|
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
|
|
contain the root CA certificate. Optionally may contain intermediate CA certificates, and
|
|
may contain the leaf TSA certificate if not present in the timestamurce.
|
|
type: string
|
|
url:
|
|
description: URL sets the url to the rekor instance
|
|
(by default the public rekor.sigstore.dev)
|
|
type: string
|
|
type: object
|
|
key:
|
|
description: Key defines the type of key to validate the
|
|
image.
|
|
properties:
|
|
data:
|
|
description: Data contains the inline public key
|
|
type: string
|
|
hashAlgorithm:
|
|
description: |-
|
|
HashAlgorithm specifues signature algorithm for public keys. Supported values are
|
|
sha224, sha256, sha384 and sha512. Defaults to sha256.
|
|
type: string
|
|
kms:
|
|
description: |-
|
|
KMS contains the KMS url of the public key
|
|
Supported formats differ based on the KMS system used.
|
|
type: string
|
|
secretRef:
|
|
description: SecretRef sets a reference to a secret
|
|
with the key.
|
|
properties:
|
|
name:
|
|
description: name is unique within a namespace to
|
|
reference a secret resource.
|
|
type: string
|
|
namespace:
|
|
description: namespace defines the space within
|
|
which the secret name must be unique.
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: object
|
|
keyless:
|
|
description: Keyless sets the configuration to verify the
|
|
authority against a Fulcio instance.
|
|
properties:
|
|
identities:
|
|
description: Identities sets a list of identities.
|
|
items:
|
|
description: |-
|
|
Identity may contain the issuer and/or the subject found in the transparency
|
|
log.
|
|
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
|
|
apply a regexp for matching.
|
|
properties:
|
|
issuer:
|
|
description: Issuer defines the issuer for this
|
|
identity.
|
|
type: string
|
|
issuerRegExp:
|
|
description: IssuerRegExp specifies a regular
|
|
expression to match the issuer for this identity.
|
|
type: string
|
|
subject:
|
|
description: Subject defines the subject for this
|
|
identity.
|
|
type: string
|
|
subjectRegExp:
|
|
description: SubjectRegExp specifies a regular
|
|
expression to match the subject for this identity.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
roots:
|
|
description: |-
|
|
Roots is an optional set of PEM encoded trusted root certificates.
|
|
If not provided, the system roots are used.
|
|
type: string
|
|
required:
|
|
- identities
|
|
type: object
|
|
source:
|
|
description: Sources sets the configuration to specify the
|
|
sources from where to consume the signature and attestations.
|
|
properties:
|
|
PullSecrets:
|
|
description: |-
|
|
SignaturePullSecrets is an optional list of references to secrets in the
|
|
same namespace as the deploying resource for pulling any of the signatures
|
|
used by this Source.
|
|
items:
|
|
description: |-
|
|
LocalObjectReference contains enough information to let you locate the
|
|
referenced object inside the same namespace.
|
|
properties:
|
|
name:
|
|
default: ""
|
|
description: |-
|
|
Name of the referent.
|
|
This field is effectively required, but due to backwards compatibility is
|
|
allowed to be empty. Instances of this type with an empty value here are
|
|
almost certainly wrong.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
repository:
|
|
description: Repository defines the location from where
|
|
to pull the signature / attestations.
|
|
type: string
|
|
tagPrefix:
|
|
description: |-
|
|
TagPrefix is an optional prefix that signature and attestations have.
|
|
This is the 'tag based discovery' and in the future once references are
|
|
fully supported that should likely be the preferred way to handle these.
|
|
type: string
|
|
type: object
|
|
tuf:
|
|
description: TUF defines the configuration to fetch sigstore
|
|
root
|
|
properties:
|
|
mirror:
|
|
description: Mirror is the base URL of Sigstore TUF
|
|
repository
|
|
type: string
|
|
root:
|
|
description: Root defines the path or data of the trusted
|
|
root
|
|
properties:
|
|
data:
|
|
description: Data is the base64 encoded TUF root
|
|
type: string
|
|
path:
|
|
description: Path is the URL or File location of
|
|
the TUF root
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: object
|
|
name:
|
|
description: Name is the name for this attestor. It is used
|
|
to refer to the attestor in verification
|
|
type: string
|
|
notary:
|
|
description: Notary defines attestor configuration for Notary
|
|
based signatures
|
|
properties:
|
|
certs:
|
|
description: Certs define the cert chain for Notary signature
|
|
verification
|
|
type: string
|
|
tsaCerts:
|
|
description: TSACerts define the cert chain for verifying
|
|
timestamps of notary signature
|
|
type: string
|
|
required:
|
|
- certs
|
|
type: object
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
credentials:
|
|
description: Credentials provides credentials that will be used for
|
|
authentication with registry.
|
|
properties:
|
|
allowInsecureRegistry:
|
|
description: AllowInsecureRegistry allows insecure access to a
|
|
registry.
|
|
type: boolean
|
|
providers:
|
|
description: |-
|
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
|
|
It can be of one of these values: default,google,azure,amazon,github.
|
|
items:
|
|
description: CredentialsProvidersType provides the list of credential
|
|
providers required.
|
|
enum:
|
|
- default
|
|
- amazon
|
|
- azure
|
|
- google
|
|
- github
|
|
type: string
|
|
type: array
|
|
secrets:
|
|
description: |-
|
|
Secrets specifies a list of secrets that are provided for credentials.
|
|
Secrets must live in the Kyverno namespace.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
failurePolicy:
|
|
description: |-
|
|
FailurePolicy defines how to handle failures for the admission policy. Failures can
|
|
occur from CEL expression parse errors, type check errors, runtime errors and invalid
|
|
or mis-configured policy definitions or bindings.
|
|
type: string
|
|
imageRules:
|
|
description: |-
|
|
ImagesRules is a list of Glob and CELExpressions to match images.
|
|
Any image that matches one of the rules is considered for validation
|
|
Any image that does not match a rule is skipped, even when they are passed as arguments to
|
|
image verification functions
|
|
items:
|
|
description: ImageRule defines a Glob or a CEL expression for matching
|
|
images
|
|
properties:
|
|
cel:
|
|
description: Cel defines CEL Expressions for matching images
|
|
type: string
|
|
glob:
|
|
description: Glob defines a globbing pattern for matching images
|
|
type: string
|
|
required:
|
|
- cel
|
|
type: object
|
|
type: array
|
|
images:
|
|
description: Images is a list of CEL expression to extract images
|
|
from the resource
|
|
items:
|
|
properties:
|
|
expression:
|
|
description: Expression defines CEL expression to extact images
|
|
from the resource.
|
|
type: string
|
|
name:
|
|
description: Name is the name for this imageList. It is used
|
|
to refer to the images in verification block as images.<name>
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
matchConditions:
|
|
description: |-
|
|
MatchConditions is a list of conditions that must be met for a request to be validated.
|
|
Match conditions filter requests that have already been matched by the rules,
|
|
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
|
|
There are a maximum of 64 match conditions allowed.
|
|
items:
|
|
description: MatchCondition represents a condition which must by
|
|
fulfilled for a request to be sent to a webhook.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
|
|
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
|
|
|
|
'object' - The object from the incoming request. The value is null for DELETE requests.
|
|
'oldObject' - The existing object. The value is null for CREATE requests.
|
|
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
|
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
|
|
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
|
|
request resource.
|
|
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
|
|
|
Required.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
|
|
as well as providing an identifier for logging purposes. A good name should be descriptive of
|
|
the associated expression.
|
|
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
|
|
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
|
|
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
|
|
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
|
|
|
Required.
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
type: array
|
|
matchConstraints:
|
|
description: MatchConstraints specifies what resources this policy
|
|
is designed to validate.
|
|
properties:
|
|
excludeResourceRules:
|
|
description: |-
|
|
ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
|
|
The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
|
|
items:
|
|
description: NamedRuleWithOperations is a tuple of Operations
|
|
and Resources with ResourceNames.
|
|
properties:
|
|
apiGroups:
|
|
description: |-
|
|
APIGroups is the API groups the resources belong to. '*' is all groups.
|
|
If '*' is present, the length of the slice must be one.
|
|
Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
apiVersions:
|
|
description: |-
|
|
APIVersions is the API versions the resources belong to. '*' is all versions.
|
|
If '*' is present, the length of the slice must be one.
|
|
Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
operations:
|
|
description: |-
|
|
Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
|
|
for all of those operations and any future admission operations that are added.
|
|
If '*' is present, the length of the slice must be one.
|
|
Required.
|
|
items:
|
|
description: OperationType specifies an operation for
|
|
a request.
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
resourceNames:
|
|
description: ResourceNames is an optional white list of
|
|
names that the rule applies to. An empty set means that
|
|
everything is allowed.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
resources:
|
|
description: |-
|
|
Resources is a list of resources this rule applies to.
|
|
|
|
For example:
|
|
'pods' means pods.
|
|
'pods/log' means the log subresource of pods.
|
|
'*' means all resources, but not subresources.
|
|
'pods/*' means all subresources of pods.
|
|
'*/scale' means all scale subresources.
|
|
'*/*' means all resources and their subresources.
|
|
|
|
If wildcard is present, the validation rule will ensure resources do not
|
|
overlap with each other.
|
|
|
|
Depending on the enclosing object, subresources might not be allowed.
|
|
Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
scope:
|
|
description: |-
|
|
scope specifies the scope of this rule.
|
|
Valid values are "Cluster", "Namespaced", and "*"
|
|
"Cluster" means that only cluster-scoped resources will match this rule.
|
|
Namespace API objects are cluster-scoped.
|
|
"Namespaced" means that only namespaced resources will match this rule.
|
|
"*" means that there are no scope restrictions.
|
|
Subresources match the scope of their parent resource.
|
|
Default is "*".
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchPolicy:
|
|
description: |-
|
|
matchPolicy defines how the "MatchResources" list is used to match incoming requests.
|
|
Allowed values are "Exact" or "Equivalent".
|
|
|
|
- Exact: match a request only if it exactly matches a specified rule.
|
|
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
|
but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
|
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
|
|
|
|
- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
|
|
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
|
|
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
|
|
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
|
|
|
|
Defaults to "Equivalent"
|
|
type: string
|
|
namespaceSelector:
|
|
description: |-
|
|
NamespaceSelector decides whether to run the admission control policy on an object based
|
|
on whether the namespace for that object matches the selector. If the
|
|
object itself is a namespace, the matching is performed on
|
|
object.metadata.labels. If the object is another cluster scoped resource,
|
|
it never skips the policy.
|
|
|
|
For example, to run the webhook on any objects whose namespace is not
|
|
associated with "runlevel" of "0" or "1"; you will set the selector as
|
|
follows:
|
|
"namespaceSelector": {
|
|
"matchExpressions": [
|
|
{
|
|
"key": "runlevel",
|
|
"operator": "NotIn",
|
|
"values": [
|
|
"0",
|
|
"1"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
|
|
If instead you want to only run the policy on any objects whose
|
|
namespace is associated with the "environment" of "prod" or "staging";
|
|
you will set the selector as follows:
|
|
"namespaceSelector": {
|
|
"matchExpressions": [
|
|
{
|
|
"key": "environment",
|
|
"operator": "In",
|
|
"values": [
|
|
"prod",
|
|
"staging"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
|
|
See
|
|
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
for more examples of label selectors.
|
|
|
|
Default to the empty LabelSelector, which matches everything.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
objectSelector:
|
|
description: |-
|
|
ObjectSelector decides whether to run the validation based on if the
|
|
object has matching labels. objectSelector is evaluated against both
|
|
the oldObject and newObject that would be sent to the cel validation, and
|
|
is considered to match if either object matches the selector. A null
|
|
object (oldObject in the case of create, or newObject in the case of
|
|
delete) or an object that cannot have labels (like a
|
|
DeploymentRollback or a PodProxyOptions object) is not considered to
|
|
match.
|
|
Use the object selector only if the webhook is opt-in, because end
|
|
users may skip the admission webhook by setting the labels.
|
|
Default to the empty LabelSelector, which matches everything.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: |-
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: |-
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: |-
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: |-
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
resourceRules:
|
|
description: |-
|
|
ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
|
|
The policy cares about an operation if it matches _any_ Rule.
|
|
items:
|
|
description: NamedRuleWithOperations is a tuple of Operations
|
|
and Resources with ResourceNames.
|
|
properties:
|
|
apiGroups:
|
|
description: |-
|
|
APIGroups is the API groups the resources belong to. '*' is all groups.
|
|
If '*' is present, the length of the slice must be one.
|
|
Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
apiVersions:
|
|
description: |-
|
|
APIVersions is the API versions the resources belong to. '*' is all versions.
|
|
If '*' is present, the length of the slice must be one.
|
|
Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
operations:
|
|
description: |-
|
|
Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
|
|
for all of those operations and any future admission operations that are added.
|
|
If '*' is present, the length of the slice must be one.
|
|
Required.
|
|
items:
|
|
description: OperationType specifies an operation for
|
|
a request.
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
resourceNames:
|
|
description: ResourceNames is an optional white list of
|
|
names that the rule applies to. An empty set means that
|
|
everything is allowed.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
resources:
|
|
description: |-
|
|
Resources is a list of resources this rule applies to.
|
|
|
|
For example:
|
|
'pods' means pods.
|
|
'pods/log' means the log subresource of pods.
|
|
'*' means all resources, but not subresources.
|
|
'pods/*' means all subresources of pods.
|
|
'*/scale' means all scale subresources.
|
|
'*/*' means all resources and their subresources.
|
|
|
|
If wildcard is present, the validation rule will ensure resources do not
|
|
overlap with each other.
|
|
|
|
Depending on the enclosing object, subresources might not be allowed.
|
|
Required.
|
|
items:
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
scope:
|
|
description: |-
|
|
scope specifies the scope of this rule.
|
|
Valid values are "Cluster", "Namespaced", and "*"
|
|
"Cluster" means that only cluster-scoped resources will match this rule.
|
|
Namespace API objects are cluster-scoped.
|
|
"Namespaced" means that only namespaced resources will match this rule.
|
|
"*" means that there are no scope restrictions.
|
|
Subresources match the scope of their parent resource.
|
|
Default is "*".
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
mutateDigest:
|
|
default: true
|
|
description: |-
|
|
MutateDigest enables replacement of image tags with digests.
|
|
Defaults to true.
|
|
type: boolean
|
|
required:
|
|
default: true
|
|
description: Required validates that images are verified i.e. have
|
|
matched passed a signature or attestation check.
|
|
type: boolean
|
|
validationActions:
|
|
description: |-
|
|
ValidationAction specifies the action to be taken when the matched resource violates the policy.
|
|
Required.
|
|
items:
|
|
description: ValidationAction specifies a policy enforcement action.
|
|
type: string
|
|
type: array
|
|
x-kubernetes-list-type: set
|
|
variables:
|
|
description: |-
|
|
Variables contain definitions of variables that can be used in composition of other expressions.
|
|
Each variable is defined as a named CEL expression.
|
|
items:
|
|
description: Variable is the definition of a variable that is used
|
|
for composition. A variable is defined as a named expression.
|
|
properties:
|
|
expression:
|
|
description: |-
|
|
Expression is the expression that will be evaluated as the value of the variable.
|
|
The CEL expression has access to the same identifiers as the CEL expressions in Validation.
|
|
type: string
|
|
name:
|
|
description: |-
|
|
Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
|
|
The variable can be accessed in other expressions through `variables`
|
|
For example, if name is "foo", the variable will be available as `variables.foo`
|
|
type: string
|
|
required:
|
|
- expression
|
|
- name
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
verifications:
|
|
description: Verifications contain CEL expressions which is used to
|
|
apply the image verification checks.
|
|
items:
|
|
description: Validation specifies the CEL expression which is used
|
|
to apply the validation.
|
|
properties:
|
|
expression:
|
|
description: "Expression represents the expression which will
|
|
be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
|
|
expressions have access to the contents of the API request/response,
|
|
organized into CEL variables as well as some other useful
|
|
variables:\n\n- 'object' - The object from the incoming request.
|
|
The value is null for DELETE requests.\n- 'oldObject' - The
|
|
existing object. The value is null for CREATE requests.\n-
|
|
'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
|
|
'params' - Parameter resource referred to by the policy binding
|
|
being evaluated. Only populated if the policy has a ParamKind.\n-
|
|
'namespaceObject' - The namespace object that the incoming
|
|
object belongs to. The value is null for cluster-scoped resources.\n-
|
|
'variables' - Map of composited variables, from its name to
|
|
its lazily evaluated value.\n For example, a variable named
|
|
'foo' can be accessed as 'variables.foo'.\n- 'authorizer'
|
|
- A CEL Authorizer. May be used to perform authorization checks
|
|
for the principal (user or service account) of the request.\n
|
|
\ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
|
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
|
from the 'authorizer' and configured with the\n request resource.\n\nThe
|
|
`apiVersion`, `kind`, `metadata.name` and `metadata.generateName`
|
|
are always accessible from the root of the\nobject. No other
|
|
metadata properties are accessible.\n\nOnly property names
|
|
of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible
|
|
property names are escaped according to the following rules
|
|
when accessed in the expression:\n- '__' escapes to '__underscores__'\n-
|
|
'.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/'
|
|
escapes to '__slash__'\n- Property names that exactly match
|
|
a CEL RESERVED keyword escape to '__{keyword}__'. The keywords
|
|
are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\",
|
|
\"const\", \"continue\", \"else\", \"for\", \"function\",
|
|
\"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\",
|
|
\"return\".\nExamples:\n - Expression accessing a property
|
|
named \"namespace\": {\"Expression\": \"object.__namespace__
|
|
> 0\"}\n - Expression accessing a property named \"x-prop\":
|
|
{\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression
|
|
accessing a property named \"redact__d\": {\"Expression\":
|
|
\"object.redact__underscores__d > 0\"}\n\nEquality on arrays
|
|
with list type of 'set' or 'map' ignores element order, i.e.
|
|
[1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type
|
|
use the semantics of the list type:\n - 'set': `X + Y` performs
|
|
a union where the array positions of all elements in `X` are
|
|
preserved and\n non-intersecting elements in `Y` are appended,
|
|
retaining their partial order.\n - 'map': `X + Y` performs
|
|
a merge where the array positions of all keys in `X` are preserved
|
|
but the values\n are overwritten by values in `Y` when
|
|
the key sets of `X` and `Y` intersect. Elements in `Y` with\n
|
|
\ non-intersecting keys are appended, retaining their partial
|
|
order.\nRequired."
|
|
type: string
|
|
message:
|
|
description: |-
|
|
Message represents the message displayed when validation fails. The message is required if the Expression contains
|
|
line breaks. The message must not contain line breaks.
|
|
If unset, the message is "failed rule: {Rule}".
|
|
e.g. "must be a URL with the host matching spec.host"
|
|
If the Expression contains line breaks. Message is required.
|
|
The message must not contain line breaks.
|
|
If unset, the message is "failed Expression: {Expression}".
|
|
type: string
|
|
messageExpression:
|
|
description: |-
|
|
messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
|
|
Since messageExpression is used as a failure message, it must evaluate to a string.
|
|
If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
|
|
If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
|
|
as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
|
|
that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
|
|
the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
|
|
messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
|
|
Example:
|
|
"object.x must be less than max ("+string(params.max)+")"
|
|
type: string
|
|
reason:
|
|
description: |-
|
|
Reason represents a machine-readable description of why this validation failed.
|
|
If this is the first validation in the list to fail, this reason, as well as the
|
|
corresponding HTTP response code, are used in the
|
|
HTTP response to the client.
|
|
The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
|
|
If not set, StatusReasonInvalid is used in the response to the client.
|
|
type: string
|
|
required:
|
|
- expression
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-type: atomic
|
|
verifyDigest:
|
|
default: true
|
|
description: VerifyDigest validates that images have a digest.
|
|
type: boolean
|
|
required:
|
|
- attestors
|
|
- matchConstraints
|
|
- verifications
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|