1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-14 19:58:45 +00:00
kyverno/config/crds/kyverno/kyverno.io_cleanuppolicies.yaml
Charles-Edouard Brétéché fd5cfac9b4
feat: more openapi validation in v2 api (#11013)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-09-04 18:00:50 +00:00

2545 lines
146 KiB
YAML

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: cleanuppolicies.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: CleanupPolicy
listKind: CleanupPolicyList
plural: cleanuppolicies
shortNames:
- cleanpol
singular: cleanuppolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v2
schema:
openAPIV3Schema:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: |-
AllConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, all of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: |-
Operator is the conditional operation to perform. Valid operators are:
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: |-
Value is the conditional value, or set of values. The values can be fixed set
or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
description: |-
AnyConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, at least one of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: |-
Operator is the conditional operation to perform. Valid operators are:
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: |-
Value is the conditional value, or set of values. The values can be fixed set
or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
The data returned is stored in the context with the name for the context entry.
properties:
data:
description: |-
The data object specifies the POST data sent to the server.
Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the data
value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of "items | length(@)" applied to the API server response
for the URLPath "/apis/apps/v1/deployments" will return the total count
of deployments across all namespaces.
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
Defaults to GET.
enum:
- GET
- POST
type: string
service:
description: |-
Service is an API call to a JSON web service.
This is used for non-Kubernetes API server calls.
It's mutually exclusive with the URLPath field.
properties:
caBundle:
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
description: |-
URLPath is the URL path to be used in the HTTP GET or POST request to the
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.
It's mutually exclusive with the Service field.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
globalReference:
description: GlobalContextEntryReference is a reference to a
cached global context entry.
properties:
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of "items | length(@)" applied to the API server response
for the URLPath "/apis/apps/v1/deployments" will return the total count
of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
required:
- name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry.
type: boolean
providers:
description: |-
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: |-
Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
description: |-
Reference is image reference to a container image in the registry.
Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: |-
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JMESPath Expression that can be used to
transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
not:
required:
- any
- all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
match:
description: |-
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
not:
required:
- any
- all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
schedule:
description: The schedule in Cron format
type: string
required:
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastExecutionTime:
format: date-time
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: CleanupPolicy defines a rule for resource cleanup.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: |-
AllConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, all of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: |-
Operator is the conditional operation to perform. Valid operators are:
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: |-
Value is the conditional value, or set of values. The values can be fixed set
or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
description: |-
AnyConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, at least one of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: |-
Operator is the conditional operation to perform. Valid operators are:
Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
DurationLessThanOrEquals, DurationLessThan
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: |-
Value is the conditional value, or set of values. The values can be fixed set
or can be variables declared using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: |-
ContextEntry adds variables and data sources to a rule Context. Either a
ConfigMap reference or a APILookup must be provided.
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
description: |-
APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
The data returned is stored in the context with the name for the context entry.
properties:
data:
description: |-
The data object specifies the POST data sent to the server.
Only applicable when the method field is set to POST.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the data
value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of "items | length(@)" applied to the API server response
for the URLPath "/apis/apps/v1/deployments" will return the total count
of deployments across all namespaces.
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
Defaults to GET.
enum:
- GET
- POST
type: string
service:
description: |-
Service is an API call to a JSON web service.
This is used for non-Kubernetes API server calls.
It's mutually exclusive with the URLPath field.
properties:
caBundle:
description: |-
CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.
type: string
url:
description: |-
URL is the JSON web service URL. A typical form is
`https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
description: |-
URLPath is the URL path to be used in the HTTP GET or POST request to the
Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
The format required is the same format used by the `kubectl get --raw` command.
See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.
It's mutually exclusive with the Service field.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
globalReference:
description: GlobalContextEntryReference is a reference to a
cached global context entry.
properties:
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the server. For example
a JMESPath of "items | length(@)" applied to the API server response
for the URLPath "/apis/apps/v1/deployments" will return the total count
of deployments across all namespaces.
type: string
name:
description: Name of the global context entry
type: string
required:
- name
type: object
imageRegistry:
description: |-
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry.
type: boolean
providers:
description: |-
Providers specifies a list of OCI Registry names, whose authentication providers are provided.
It can be of one of these values: default,google,azure,amazon,github.
items:
description: ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: |-
Secrets specifies a list of secrets that are provided for credentials.
Secrets must live in the Kyverno namespace.
items:
type: string
type: array
type: object
jmesPath:
description: |-
JMESPath is an optional JSON Match Expression that can be used to
transform the ImageData struct returned as a result of processing
the image reference.
type: string
reference:
description: |-
Reference is image reference to a container image in the registry.
Example: ghcr.io/kyverno/kyverno:latest
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: |-
Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: |-
JMESPath is an optional JMESPath Expression that can be used to
transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
exclude:
description: |-
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the name or role.
not:
required:
- any
- all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
match:
description: |-
MatchResources defines when cleanuppolicy should be applied. The match
criteria can include resource information (e.g. kind, name, namespace, labels)
and admission review request information like the user name or role.
At least one kind is required.
not:
required:
- any
- all
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
description: |-
Annotations is a map of annotations (key-value pairs of type string). Annotation keys
and values support the wildcard characters "*" (matches zero or many characters) and
"?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: |-
Name is the name of the resource. The name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".
type: string
names:
description: |-
Names are the names of the resources. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: |-
NamespaceSelector is a label selector for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
and `?` (matches one character).Wildcards allows writing label selectors like
["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
Namespaces is a list of namespaces names. Each name supports wildcard characters
"*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: |-
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
characters `*` (matches zero or many characters) and `?` (matches one character).
Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
using ["*" : "*"] matches any key and value but does not match an empty label set.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: |-
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
or a value for non-objects such as user and group names.
properties:
apiGroup:
description: |-
APIGroup holds the API group of the referenced subject.
Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: |-
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: |-
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
schedule:
description: The schedule in Cron format
type: string
required:
- schedule
type: object
status:
description: Status contains policy runtime data.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
lastExecutionTime:
format: date-time
type: string
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}