From 36e0877181517d97ac46077d03c7addc27a015e1 Mon Sep 17 00:00:00 2001 From: krishbajaj1609 <168710331+krishbajaj1609@users.noreply.github.com> Date: Sun, 5 Jan 2025 18:57:24 +0530 Subject: [PATCH] Feature/secure installation (#466) * Removed kyverno installation * Removed kyverno installation * add enabledPolicyset field * add kyverno cr * add webhook * update chart.yaml * update chart.yaml --- .../Chart.yaml | 2 +- .../security.nirmata.io_kyvernoes.yaml | 104 +- charts/enterprise-kyverno-operator/Chart.yaml | 4 +- .../kyverno.io_admissionreports.yaml | 667 - .../kyverno.io_backgroundscanreports.yaml | 585 - .../kyverno.io_cleanuppolicies.yaml | 3684 ---- .../kyverno.io_clusteradmissionreports.yaml | 669 - ...verno.io_clusterbackgroundscanreports.yaml | 585 - .../kyverno.io_clustercleanuppolicies.yaml | 3684 ---- .../kyverno.io_clusterpolicies.yaml | 16562 --------------- .../kyverno.io_globalcontextentries.yaml | 249 - .../kyverno.io/kyverno.io_policies.yaml | 16565 ---------------- .../kyverno.io_policyexceptions.yaml | 1887 -- .../kyverno.io/kyverno.io_updaterequests.yaml | 784 - ...ts.kyverno.io_clusterephemeralreports.yaml | 357 - .../reports.kyverno.io_ephemeralreports.yaml | 357 - .../crds/security.nirmata.io_kyvernoes.yaml | 104 +- .../templates/_cr-kyverno-helpers.tpl | 161 - .../crds/aws-adapter-config-crd.yaml | 411 - .../namespace/aws-adapter.yaml | 6 - .../namespace/rolebindings.yaml | 15 - .../aws-adapter-0.3/namespace/roles.yaml | 11 - .../aws-adapter-0.3/rbac/_helpers.tpl | 64 - .../templates/aws-adapter-0.3/rbac/rbac.yaml | 65 - .../namespace/namespace/cis-adapter.yaml | 8 - .../namespace/namespace/rolebindings.yaml | 15 - .../namespace/namespace/roles.yaml | 11 - .../cis-adapter-1.2/rbac/_helpers.tpl | 70 - .../templates/cis-adapter-1.2/rbac/rb.yaml | 16 - .../templates/cis-adapter-1.2/rbac/role.yaml | 18 - .../cis-adapter-1.2/rbac/serviceaccount.yaml | 13 - .../templates/cr-aws-adapter.yaml | 29 - .../templates/cr-cis-adapter.yaml | 29 - .../templates/cr-image-scan-adapter.yaml | 27 - .../templates/cr-kyverno.yaml | 13 +- .../templates/crds-common/policyReports.yaml | 728 - .../templates/deployment.yaml | 3 + ...ty.nirmata.io_imagescanadapterconfigs.yaml | 99 - .../namespace/image-scan-adapter.yaml | 6 - .../namespace/rolebindings.yaml | 15 - .../namespace/roles.yaml | 11 - .../image-scan-adapter-0.1/rbac/_helpers.tpl | 64 - .../image-scan-adapter-0.1/rbac/rbac.yaml | 151 - .../templates/kyverno-1.12/_helpers.tpl | 97 - .../kyverno-1.12/_templating/_helpers.tpl | 16 - .../kyverno-1.12/_templating/namespace.yaml | 8 - .../admission-controller/_helpers.tpl | 53 - .../admission-controller/clusterrole.yaml | 163 - .../clusterrolebinding.yaml | 21 - .../admission-controller/role.yaml | 77 - .../admission-controller/rolebinding.yaml | 17 - .../admission-controller/serviceaccount.yaml | 13 - .../background-controller/_helpers.tpl | 58 - .../background-controller/clusterrole.yaml | 133 - .../clusterrolebinding.yaml | 23 - .../background-controller/role.yaml | 53 - .../background-controller/rolebinding.yaml | 24 - .../background-controller/serviceaccount.yaml | 15 - .../cleanup-controller/_helpers.tpl | 54 - .../cleanup-controller/clusterrole.yaml | 138 - .../clusterrolebinding.yaml | 23 - .../kyverno-1.12/cleanup-controller/role.yaml | 64 - .../cleanup-controller/rolebinding.yaml | 24 - .../cleanup-controller/serviceaccount.yaml | 15 - .../kyverno-1.12/cleanup/_helpers.tpl | 9 - .../kyverno-1.12/cleanup/clusterrole.yaml | 21 - .../cleanup/clusterrolebinding.yaml | 19 - .../kyverno-1.12/cleanup/serviceaccount.yaml | 12 - .../kyverno-1.12/config/_helpers.tpl | 82 - .../kyverno-1.12/namespace/namespace.yaml | 8 - .../kyverno-1.12/namespace/rolebindings.yaml | 13 - .../kyverno-1.12/namespace/roles.yaml | 9 - .../templates/kyverno-1.12/rbac/_helpers.tpl | 28 - .../templates/kyverno-1.12/rbac/policies.yaml | 48 - .../kyverno-1.12/rbac/policyreports.yaml | 44 - .../templates/kyverno-1.12/rbac/reports.yaml | 70 - .../kyverno-1.12/rbac/updaterequests.yaml | 42 - .../reports-controller/_helpers.tpl | 58 - .../reports-controller/clusterrole.yaml | 135 - .../clusterrolebinding.yaml | 23 - .../kyverno-1.12/reports-controller/role.yaml | 45 - .../reports-controller/rolebinding.yaml | 24 - .../reports-controller/serviceaccount.yaml | 15 - .../templates/kyverno-1.12/validate.yaml | 43 - .../templates/kyverno-webhook/_helpers.tpl | 26 + ...ost-kyverno-upgrade-migrate-resources.yaml | 117 - .../templates/post-kyverno-upgrade.yaml | 61 - .../templates/pre-delete-hook.yaml | 9 - .../enterprise-kyverno-operator/values.yaml | 3 + 89 files changed, 119 insertions(+), 50842 deletions(-) delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml delete mode 100644 charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/_cr-kyverno-helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/crds/aws-adapter-config-crd.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/aws-adapter.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/rolebindings.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/roles.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/rbac.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/cis-adapter.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/rolebindings.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/roles.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/rb.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/role.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/serviceaccount.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cr-aws-adapter.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cr-cis-adapter.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/cr-image-scan-adapter.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/crds-common/policyReports.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/crds/security.nirmata.io_imagescanadapterconfigs.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/image-scan-adapter.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/rolebindings.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/roles.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/rbac.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/namespace.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrole.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/role.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/rolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/serviceaccount.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrole.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/role.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/rolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/serviceaccount.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrole.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/role.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/rolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/serviceaccount.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrole.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/serviceaccount.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/config/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/namespace.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/rolebindings.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/roles.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policies.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policyreports.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/reports.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/updaterequests.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrole.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/role.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/rolebinding.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/serviceaccount.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-1.12/validate.yaml create mode 100644 charts/enterprise-kyverno-operator/templates/kyverno-webhook/_helpers.tpl delete mode 100644 charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade-migrate-resources.yaml delete mode 100644 charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade.yaml diff --git a/charts/enterprise-kyverno-operator-crd/Chart.yaml b/charts/enterprise-kyverno-operator-crd/Chart.yaml index 048008e2..93efea41 100644 --- a/charts/enterprise-kyverno-operator-crd/Chart.yaml +++ b/charts/enterprise-kyverno-operator-crd/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: nirmata-kyverno-operator-crd description: Helm Chart for Enterprise Kyverno Operator type: application -version: v0.5.0 +version: v0.5.1 appVersion: v0.3.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png diff --git a/charts/enterprise-kyverno-operator-crd/templates/security.nirmata.io_kyvernoes.yaml b/charts/enterprise-kyverno-operator-crd/templates/security.nirmata.io_kyvernoes.yaml index 11f60235..8d4b359d 100644 --- a/charts/enterprise-kyverno-operator-crd/templates/security.nirmata.io_kyvernoes.yaml +++ b/charts/enterprise-kyverno-operator-crd/templates/security.nirmata.io_kyvernoes.yaml @@ -3,10 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - app.kubernetes.io/part-of: nirmata-kyverno-operator - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: kyvernoconfigs.security.nirmata.io spec: group: security.nirmata.io @@ -14,11 +11,11 @@ spec: kind: KyvernoConfig listKind: KyvernoConfigList plural: kyvernoconfigs - singular: kyvernoconfig shortNames: - kycfg - kyvernocfg - kyvernoconf + singular: kyvernoconfig scope: Namespaced versions: - additionalPrinterColumns: @@ -41,53 +38,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: Kyverno is the Schema for the kyvernoconfigs API + description: KyvernoConfig is the Schema for the kyvernoconfig API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: KyvernoSpec defines the desired state of Kyverno - properties: - apiKey: - type: string - helm: - additionalProperties: - type: object - x-kubernetes-preserve-unknown-fields: true - description: Finer customizations for each component are provided - in a generic object structure, typically matching the value.yaml - of individual components - type: object - licenseKey: - type: string - namespace: - default: kyverno - enum: - - kyverno - type: string - replicas: - default: 1 - format: int32 - type: integer - repository: - default: ghcr.io/nirmata - type: string - secrets: - description: Secrets storing licenseKey, apiKey - type: string - version: - default: v1.10.4-n4k.nirmata.1 - type: string + description: KyvernoConfigSpec defines the desired state of Kyverno type: object status: description: KyvernoStatus defines the observed state of Kyverno @@ -100,37 +71,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -147,6 +118,13 @@ spec: lastUpdated: format: date-time type: string + namespace: + type: string + replicas: + format: int32 + type: integer + version: + type: string required: - isHA - isRunning diff --git a/charts/enterprise-kyverno-operator/Chart.yaml b/charts/enterprise-kyverno-operator/Chart.yaml index d19376e9..7629e114 100644 --- a/charts/enterprise-kyverno-operator/Chart.yaml +++ b/charts/enterprise-kyverno-operator/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: nirmata-kyverno-operator description: Helm Chart for Enterprise Kyverno Operator type: application -version: v0.5.5-rc2 -appVersion: v0.4.4 +version: v0.5.5-rc3 +appVersion: v0.4.5-rc1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png keywords: - kubernetes diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml deleted file mode 100644 index 63bfd0d3..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_admissionreports.yaml +++ /dev/null @@ -1,667 +0,0 @@ -{{- if .Values.groups.kyverno.admissionreports }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: admissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: AdmissionReport - listKind: AdmissionReportList - plural: admissionreports - shortNames: - - admr - singular: admissionreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: AdmissionReport is the Schema for the AdmissionReports API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: |- - If true, AND if the owner has the "foregroundDeletion" finalizer, then - the owner cannot be deleted from the key-value store until this - reference is removed. - See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and enforces the foreground deletion. - Defaults to false. - To set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v2 - schema: - openAPIV3Schema: - description: AdmissionReport is the Schema for the AdmissionReports API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: |- - If true, AND if the owner has the "foregroundDeletion" finalizer, then - the owner cannot be deleted from the key-value store until this - reference is removed. - See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and enforces the foreground deletion. - Defaults to false. - To set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: false - subresources: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml deleted file mode 100644 index aefe5a9e..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_backgroundscanreports.yaml +++ /dev/null @@ -1,585 +0,0 @@ -{{- if .Values.groups.kyverno.backgroundscanreports }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: backgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: BackgroundScanReport - listKind: BackgroundScanReportList - plural: backgroundscanreports - shortNames: - - bgscanr - singular: backgroundscanreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: BackgroundScanReport is the Schema for the BackgroundScanReports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v2 - schema: - openAPIV3Schema: - description: BackgroundScanReport is the Schema for the BackgroundScanReports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: false - subresources: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml deleted file mode 100644 index 9e99aa18..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml +++ /dev/null @@ -1,3684 +0,0 @@ -{{- if .Values.groups.kyverno.cleanuppolicies }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: cleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: CleanupPolicy - listKind: CleanupPolicyList - plural: cleanuppolicies - shortNames: - - cleanpol - singular: cleanuppolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference to a - cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when cleanuppolicy should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: |- - MatchResources defines when cleanuppolicy should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2alpha1 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference to a - cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when cleanuppolicy should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: |- - MatchResources defines when cleanuppolicy should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: false - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2beta1 - schema: - openAPIV3Schema: - description: CleanupPolicy defines a rule for resource cleanup. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference to a - cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when cleanuppolicy should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: |- - MatchResources defines when cleanuppolicy should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml deleted file mode 100644 index 4450018d..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusteradmissionreports.yaml +++ /dev/null @@ -1,669 +0,0 @@ -{{- if .Values.groups.kyverno.clusteradmissionreports }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: clusteradmissionreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterAdmissionReport - listKind: ClusterAdmissionReportList - plural: clusteradmissionreports - shortNames: - - cadmr - singular: clusteradmissionreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: |- - If true, AND if the owner has the "foregroundDeletion" finalizer, then - the owner cannot be deleted from the key-value store until this - reference is removed. - See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and enforces the foreground deletion. - Defaults to false. - To set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.summary.pass - name: PASS - type: integer - - jsonPath: .spec.summary.fail - name: FAIL - type: integer - - jsonPath: .spec.summary.warn - name: WARN - type: integer - - jsonPath: .spec.summary.error - name: ERROR - type: integer - - jsonPath: .spec.summary.skip - name: SKIP - type: integer - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] - name: GVR - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] - name: REF - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] - name: AGGREGATE - priority: 1 - type: string - name: v2 - schema: - openAPIV3Schema: - description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: |- - If true, AND if the owner has the "foregroundDeletion" finalizer, then - the owner cannot be deleted from the key-value store until this - reference is removed. - See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and enforces the foreground deletion. - Defaults to false. - To set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: false - subresources: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml deleted file mode 100644 index b900aadd..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterbackgroundscanreports.yaml +++ /dev/null @@ -1,585 +0,0 @@ -{{- if .Values.groups.kyverno.clusterbackgroundscanreports }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: clusterbackgroundscanreports.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterBackgroundScanReport - listKind: ClusterBackgroundScanReportList - plural: clusterbackgroundscanreports - shortNames: - - cbgscanr - singular: clusterbackgroundscanreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} - - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v2 - schema: - openAPIV3Schema: - description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - required: - - spec - type: object - served: true - storage: false - subresources: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml deleted file mode 100644 index 8ba7d5e4..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml +++ /dev/null @@ -1,3684 +0,0 @@ -{{- if .Values.groups.kyverno.clustercleanuppolicies }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: clustercleanuppolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterCleanupPolicy - listKind: ClusterCleanupPolicyList - plural: clustercleanuppolicies - shortNames: - - ccleanpol - singular: clustercleanuppolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference to a - cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when cleanuppolicy should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: |- - MatchResources defines when cleanuppolicy should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2alpha1 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference to a - cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when cleanuppolicy should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: |- - MatchResources defines when cleanuppolicy should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: false - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2beta1 - schema: - openAPIV3Schema: - description: ClusterCleanupPolicy defines rule for resource cleanup. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - conditions: - description: Conditions defines the conditions used to select the - resources which will be cleaned up. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - context: - description: Context defines variables and data sources that can be - used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data - value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference to a - cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure access - to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when cleanuppolicy should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - match: - description: |- - MatchResources defines when cleanuppolicy should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - schedule: - description: The schedule in Cron format - type: string - required: - - schedule - type: object - status: - description: Status contains policy runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastExecutionTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml deleted file mode 100644 index 4ac970b3..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ /dev/null @@ -1,16562 +0,0 @@ -{{- if .Values.groups.kyverno.clusterpolicies }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: clusterpolicies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: ClusterPolicy - listKind: ClusterPolicyList - plural: clusterpolicies - shortNames: - - cpol - singular: clusterpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: |- - ApplyRules controls how rules in a policy are applied. Rule are processed in - the order of declaration. When set to `One` processing stops after a rule has - been applied i.e. the rule matches and results in a pass, fail, or error. When - set to `All` all rules in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean - failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: |- - GenerateExisting controls whether to trigger generate rule in existing resources - If is set to "true" generate rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: |- - MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. - Default value is "false". - type: boolean - rules: - description: |- - Rules is a list of Rule instances. A Policy contains multiple rules and - each rule can validate, mutate, or generate resources. - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents of the - API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- - 'object' - The object from the incoming request. - The value is null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null for - CREATE requests.\n- 'request' - Attributes of - the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to by - the policy binding being evaluated. Only populated - if the policy has a ParamKind.\n- 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources.\n- 'variables' - Map of composited - variables, from its name to its lazily evaluated - value.\n For example, a variable named 'foo' - can be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names are - escaped according to the following rules when - accessed in the expression:\n- '__' escapes - to '__underscores__'\n- '.' escapes to '__dot__'\n- - '-' escapes to '__dash__'\n- '/' escapes to - '__slash__'\n- Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are:\n\t \"true\", \"false\", - \"null\", \"in\", \"as\", \"break\", \"const\", - \"continue\", \"else\", \"for\", \"function\", - \"if\",\n\t \"import\", \"let\", \"loop\", - \"package\", \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ > 0\"}\n - \ - Expression accessing a property named \"x-prop\": - {\"Expression\": \"object.x__dash__prop > 0\"}\n - \ - Expression accessing a property named \"redact__d\": - {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type - of 'set' or 'map' ignores element order, i.e. - [1, 2] == [2, 1].\nConcatenation on arrays with - x-kubernetes-list-type use the semantics of - the list type:\n - 'set': `X + Y` performs - a union where the array positions of all elements - in `X` are preserved and\n non-intersecting - elements in `Y` are appended, retaining their - partial order.\n - 'map': `X + Y` performs - a merge where the array positions of all keys - in `X` are preserved but the values\n are - overwritten by values in `Y` when the key sets - of `X` and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, retaining - their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: Deprecated. - type: boolean - useServerSideApply: - description: |- - UseServerSideApply controls whether to use server-side apply for generate rules - If is set to "true" create & update for generate rules will use apply instead of create/update. - Defaults to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. - properties: - matchConditions: - description: MatchCondition configures admission webhook matchConditions. - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - type: object - webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind.\n- - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources.\n- - 'variables' - Map of composited variables, - from its name to its lazily evaluated value.\n - \ For example, a variable named 'foo' can - be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request.\n See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names - are escaped according to the following rules - when accessed in the expression:\n- '__' - escapes to '__underscores__'\n- '.' escapes - to '__dot__'\n- '-' escapes to '__dash__'\n- - '/' escapes to '__slash__'\n- Property names - that exactly match a CEL RESERVED keyword - escape to '__{keyword}__'. The keywords - are:\n\t \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\",\n\t - \ \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named - \"namespace\": {\"Expression\": \"object.__namespace__ - > 0\"}\n - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"}\n - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1].\nConcatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type:\n - 'set': - `X + Y` performs a union where the array - positions of all elements in `X` are preserved - and\n non-intersecting elements in `Y` - are appended, retaining their partial order.\n - \ - 'map': `X + Y` performs a merge where - the array positions of all keys in `X` are - preserved but the values\n are overwritten - by values in `Y` when the key sets of `X` - and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, - retaining their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: |- - RuleCountStatus contains four variables which describes counts for - validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of validating admission policy - It is an empty string when validating admission policy is successfully generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy behaviors. - properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: |- - ApplyRules controls how rules in a policy are applied. Rule are processed in - the order of declaration. When set to `One` processing stops after a rule has - been applied i.e. the rule matches and results in a pass, fail, or error. When - set to `All` all rules in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean - failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: |- - GenerateExisting controls whether to trigger generate rule in existing resources - If is set to "true" generate rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: |- - MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. - Default value is "false". - type: boolean - rules: - description: |- - Rules is a list of Rule instances. A Policy contains multiple rules and - each rule can validate, mutate, or generate resources. - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents of the - API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- - 'object' - The object from the incoming request. - The value is null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null for - CREATE requests.\n- 'request' - Attributes of - the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to by - the policy binding being evaluated. Only populated - if the policy has a ParamKind.\n- 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources.\n- 'variables' - Map of composited - variables, from its name to its lazily evaluated - value.\n For example, a variable named 'foo' - can be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names are - escaped according to the following rules when - accessed in the expression:\n- '__' escapes - to '__underscores__'\n- '.' escapes to '__dot__'\n- - '-' escapes to '__dash__'\n- '/' escapes to - '__slash__'\n- Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are:\n\t \"true\", \"false\", - \"null\", \"in\", \"as\", \"break\", \"const\", - \"continue\", \"else\", \"for\", \"function\", - \"if\",\n\t \"import\", \"let\", \"loop\", - \"package\", \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ > 0\"}\n - \ - Expression accessing a property named \"x-prop\": - {\"Expression\": \"object.x__dash__prop > 0\"}\n - \ - Expression accessing a property named \"redact__d\": - {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type - of 'set' or 'map' ignores element order, i.e. - [1, 2] == [2, 1].\nConcatenation on arrays with - x-kubernetes-list-type use the semantics of - the list type:\n - 'set': `X + Y` performs - a union where the array positions of all elements - in `X` are preserved and\n non-intersecting - elements in `Y` are appended, retaining their - partial order.\n - 'map': `X + Y` performs - a merge where the array positions of all keys - in `X` are preserved but the values\n are - overwritten by values in `Y` when the key sets - of `X` and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, retaining - their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: Deprecated. - type: boolean - useServerSideApply: - description: |- - UseServerSideApply controls whether to use server-side apply for generate rules - If is set to "true" create & update for generate rules will use apply instead of create/update. - Defaults to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. - properties: - matchConditions: - description: MatchCondition configures admission webhook matchConditions. - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - type: object - webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind.\n- - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources.\n- - 'variables' - Map of composited variables, - from its name to its lazily evaluated value.\n - \ For example, a variable named 'foo' can - be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request.\n See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names - are escaped according to the following rules - when accessed in the expression:\n- '__' - escapes to '__underscores__'\n- '.' escapes - to '__dot__'\n- '-' escapes to '__dash__'\n- - '/' escapes to '__slash__'\n- Property names - that exactly match a CEL RESERVED keyword - escape to '__{keyword}__'. The keywords - are:\n\t \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\",\n\t - \ \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named - \"namespace\": {\"Expression\": \"object.__namespace__ - > 0\"}\n - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"}\n - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1].\nConcatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type:\n - 'set': - `X + Y` performs a union where the array - positions of all elements in `X` are preserved - and\n non-intersecting elements in `Y` - are appended, retaining their partial order.\n - \ - 'map': `X + Y` performs a merge where - the array positions of all keys in `X` are - preserved but the values\n are overwritten - by values in `Y` when the key sets of `X` - and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, - retaining their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: |- - RuleCountStatus contains four variables which describes counts for - validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of validating admission policy - It is an empty string when validating admission policy is successfully generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml deleted file mode 100644 index 2c64fe3a..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml +++ /dev/null @@ -1,249 +0,0 @@ -{{- if .Values.groups.kyverno.globalcontextentries }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: globalcontextentries.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: GlobalContextEntry - listKind: GlobalContextEntryList - plural: globalcontextentries - shortNames: - - gctxentry - singular: globalcontextentry - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.apiCall.refreshInterval - name: REFRESH INTERVAL - type: string - - jsonPath: .status.lastRefreshTime - name: LAST REFRESH - type: date - name: v2alpha1 - schema: - openAPIV3Schema: - description: GlobalContextEntry declares resources to be cached. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - apiCall: - description: |- - Stores results from an API call which will be cached. - Mutually exclusive with KubernetesResource. - This can be used to make calls to external (non-Kubernetes API server) services. - It can also be used to make calls to the Kubernetes API server in such cases: - 1. A POST is needed to create a resource. - 2. Finer-grained control is needed. Example: To restrict the number of resources cached. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST data - properties: - key: - description: Key is a unique identifier for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - method: - default: GET - description: Method is the HTTP request type (GET or POST). - enum: - - GET - - POST - type: string - refreshInterval: - default: 10m - description: |- - RefreshInterval defines the interval in duration at which to poll the APICall. - The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix, - such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - format: duration - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - kubernetesResource: - description: |- - Stores a list of Kubernetes resources which will be cached. - Mutually exclusive with APICall. - properties: - group: - description: Group defines the group of the resource. - type: string - namespace: - description: |- - Namespace defines the namespace of the resource. Leave empty for cluster scoped resources. - If left empty for namespaced resources, all resources from all namespaces will be cached. - type: string - resource: - description: |- - Resource defines the type of the resource. - Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments") - type: string - version: - description: Version defines the version of the resource. - type: string - type: object - type: object - status: - description: Status contains globalcontextentry runtime data. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastRefreshTime: - description: Indicates the time when the globalcontextentry was last - refreshed successfully for the API Call - format: date-time - type: string - ready: - description: Deprecated in favor of Conditions - type: boolean - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml deleted file mode 100644 index 7b766172..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ /dev/null @@ -1,16565 +0,0 @@ -{{- if .Values.groups.kyverno.policies }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: policies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: Policy - listKind: PolicyList - plural: policies - shortNames: - - pol - singular: policy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v1 - schema: - openAPIV3Schema: - description: |- - Policy declares validation, mutation, and generation behaviors for matching resources. - See: https://kyverno.io/docs/writing-policies/ for more information. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: |- - ApplyRules controls how rules in a policy are applied. Rule are processed in - the order of declaration. When set to `One` processing stops after a rule has - been applied i.e. the rule matches and results in a pass, fail, or error. When - set to `All` all rules in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean - failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: |- - GenerateExisting controls whether to trigger generate rule in existing resources - If is set to "true" generate rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: |- - MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. - Default value is "false". - type: boolean - rules: - description: |- - Rules is a list of Rule instances. A Policy contains multiple rules and - each rule can validate, mutate, or generate resources. - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents of the - API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- - 'object' - The object from the incoming request. - The value is null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null for - CREATE requests.\n- 'request' - Attributes of - the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to by - the policy binding being evaluated. Only populated - if the policy has a ParamKind.\n- 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources.\n- 'variables' - Map of composited - variables, from its name to its lazily evaluated - value.\n For example, a variable named 'foo' - can be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names are - escaped according to the following rules when - accessed in the expression:\n- '__' escapes - to '__underscores__'\n- '.' escapes to '__dot__'\n- - '-' escapes to '__dash__'\n- '/' escapes to - '__slash__'\n- Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are:\n\t \"true\", \"false\", - \"null\", \"in\", \"as\", \"break\", \"const\", - \"continue\", \"else\", \"for\", \"function\", - \"if\",\n\t \"import\", \"let\", \"loop\", - \"package\", \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ > 0\"}\n - \ - Expression accessing a property named \"x-prop\": - {\"Expression\": \"object.x__dash__prop > 0\"}\n - \ - Expression accessing a property named \"redact__d\": - {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type - of 'set' or 'map' ignores element order, i.e. - [1, 2] == [2, 1].\nConcatenation on arrays with - x-kubernetes-list-type use the semantics of - the list type:\n - 'set': `X + Y` performs - a union where the array positions of all elements - in `X` are preserved and\n non-intersecting - elements in `Y` are appended, retaining their - partial order.\n - 'map': `X + Y` performs - a merge where the array positions of all keys - in `X` are preserved but the values\n are - overwritten by values in `Y` when the key sets - of `X` and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, retaining - their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: Deprecated. - type: boolean - useServerSideApply: - description: |- - UseServerSideApply controls whether to use server-side apply for generate rules - If is set to "true" create & update for generate rules will use apply instead of create/update. - Defaults to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. - properties: - matchConditions: - description: MatchCondition configures admission webhook matchConditions. - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - type: object - webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Deprecated. Policy metrics are available via the metrics - endpoint - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind.\n- - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources.\n- - 'variables' - Map of composited variables, - from its name to its lazily evaluated value.\n - \ For example, a variable named 'foo' can - be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request.\n See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names - are escaped according to the following rules - when accessed in the expression:\n- '__' - escapes to '__underscores__'\n- '.' escapes - to '__dot__'\n- '-' escapes to '__dash__'\n- - '/' escapes to '__slash__'\n- Property names - that exactly match a CEL RESERVED keyword - escape to '__{keyword}__'. The keywords - are:\n\t \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\",\n\t - \ \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named - \"namespace\": {\"Expression\": \"object.__namespace__ - > 0\"}\n - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"}\n - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1].\nConcatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type:\n - 'set': - `X + Y` performs a union where the array - positions of all elements in `X` are preserved - and\n non-intersecting elements in `Y` - are appended, retaining their partial order.\n - \ - 'map': `X + Y` performs a merge where - the array positions of all keys in `X` are - preserved but the values\n are overwritten - by values in `Y` when the key sets of `X` - and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, - retaining their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: |- - RuleCountStatus contains four variables which describes counts for - validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of validating admission policy - It is an empty string when validating admission policy is successfully generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.admission - name: ADMISSION - type: boolean - - jsonPath: .spec.background - name: BACKGROUND - type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: READY - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .spec.failurePolicy - name: FAILURE POLICY - priority: 1 - type: string - - jsonPath: .status.rulecount.validate - name: VALIDATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: MUTATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: GENERATE - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: VERIFY IMAGES - priority: 1 - type: integer - - jsonPath: .status.conditions[?(@.type == "Ready")].message - name: MESSAGE - type: string - name: v2beta1 - schema: - openAPIV3Schema: - description: |- - Policy declares validation, mutation, and generation behaviors for matching resources. - See: https://kyverno.io/docs/writing-policies/ for more information. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. - properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean - applyRules: - description: |- - ApplyRules controls how rules in a policy are applied. Rule are processed in - the order of declaration. When set to `One` processing stops after a rule has - been applied i.e. the rule matches and results in a pass, fail, or error. When - set to `All` all rules in the policy are processed. The default is `All`. - enum: - - All - - One - type: string - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean - failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. - enum: - - Ignore - - Fail - type: string - generateExisting: - description: |- - GenerateExisting controls whether to trigger generate rule in existing resources - If is set to "true" generate rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. - type: boolean - generateExistingOnPolicyUpdate: - description: Deprecated, use generateExisting instead - type: boolean - mutateExistingOnPolicyUpdate: - description: |- - MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. - Default value is "false". - type: boolean - rules: - description: |- - Rules is a list of Rule instances. A Policy contains multiple rules and - each rule can validate, mutate, or generate resources. - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources that - can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier for - the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath context - variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object representable - in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source resource - used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" - between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one - of the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachMutation applies mutation rules to - a list of sub-elements by creating a context for each - entry in the list and looping over it to apply the specified - logic. - properties: - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to be - mutated. - items: - description: TargetResourceSpec defines targets for mutating - existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the Common - Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for the - audit event of the API request. - items: - description: AuditAnnotation describes how to produce - an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents of the - API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- - 'object' - The object from the incoming request. - The value is null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null for - CREATE requests.\n- 'request' - Attributes of - the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to by - the policy binding being evaluated. Only populated - if the policy has a ParamKind.\n- 'namespaceObject' - - The namespace object that the incoming object - belongs to. The value is null for cluster-scoped - resources.\n- 'variables' - Map of composited - variables, from its name to its lazily evaluated - value.\n For example, a variable named 'foo' - can be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform authorization - checks for the principal (user or service account) - of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names are - escaped according to the following rules when - accessed in the expression:\n- '__' escapes - to '__underscores__'\n- '.' escapes to '__dot__'\n- - '-' escapes to '__dash__'\n- '/' escapes to - '__slash__'\n- Property names that exactly match - a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are:\n\t \"true\", \"false\", - \"null\", \"in\", \"as\", \"break\", \"const\", - \"continue\", \"else\", \"for\", \"function\", - \"if\",\n\t \"import\", \"let\", \"loop\", - \"package\", \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ > 0\"}\n - \ - Expression accessing a property named \"x-prop\": - {\"Expression\": \"object.x__dash__prop > 0\"}\n - \ - Expression accessing a property named \"redact__d\": - {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type - of 'set' or 'map' ignores element order, i.e. - [1, 2] == [2, 1].\nConcatenation on arrays with - x-kubernetes-list-type use the semantics of - the list type:\n - 'set': `X + Y` performs - a union where the array positions of all elements - in `X` are preserved and\n non-intersecting - elements in `Y` are appended, retaining their - partial order.\n - 'map': `X + Y` performs - a merge where the array positions of all keys - in `X` are preserved but the values\n are - overwritten by values in `Y` when the key sets - of `X` and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, retaining - their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind and - Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context for - each entry in the list and looping over it to apply - the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the - HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is - a reference to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON - object representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry (using - JMESPath) for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display - message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of annotation - for message and signature. Default is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of - Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while comparing - manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be displayed - on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security Standard - controls to be excluded. - items: - description: PodSecurityStandard specifies the Pod - Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required attestors - (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', to - be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set of Attestor - used to specify a more complex set of match - authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one or - more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates used - to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions are - certificate-extensions used for keyless - signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified identity - used for keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one or more public - keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is used - to validate SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips transparency - log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address of - the transparency log. Defaults to - the public Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret resource - that contains a public key - properties: - name: - description: Name of the secret. The - provided secret must contain a key - named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values are - sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have a - digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - schemaValidation: - description: Deprecated. - type: boolean - useServerSideApply: - description: |- - UseServerSideApply controls whether to use server-side apply for generate rules - If is set to "true" create & update for generate rules will use apply instead of create/update. - Defaults to "false" if not specified. - type: boolean - validationFailureAction: - default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". - enum: - - audit - - enforce - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy validation - failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array - webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. - properties: - matchConditions: - description: MatchCondition configures admission webhook matchConditions. - items: - description: MatchCondition represents a condition which must - by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - type: object - webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. - format: int32 - type: integer - type: object - status: - description: Status contains policy runtime data. - properties: - autogen: - description: AutogenStatus contains autogen status information. - properties: - rules: - description: Rules is a list of Rule instances. It contains auto - generated rules added for pod controllers - items: - description: |- - Rule defines a validation, mutation, or generation control for matching resources. - Each rules contains a match declaration to select resources, and an optional exclude - declaration to specify which resources to exclude. - properties: - celPreconditions: - description: |- - CELPreconditions are used to determine if a policy rule should be applied by evaluating a - set of CEL conditions. It can only be used with the validate.cel subrule - items: - description: MatchCondition represents a condition which - must by fulfilled for a request to be sent to a webhook. - properties: - expression: - description: |- - Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. - CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - - - 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. - See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the - request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - - - Required. - type: string - name: - description: |- - Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of - the associated expression. - Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or - '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - - - Required. - type: string - required: - - expression - - name - type: object - type: array - context: - description: Context defines variables and data sources - that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains the HTTP POST - data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request type (GET - or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference is a reference - to a cached global context entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials provides - credentials that will be used for authentication - with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows - insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary JMESPath - context variable that can be defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary JSON object - representable in YAML or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - exclude: - description: |- - ExcludeResources defines when this policy rule should not be applied. The exclude - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name or role. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - generate: - description: Generation is used to create new resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - clone: - description: |- - Clone specifies the source resource used to populate each generated resource. - At most one of Data or Clone can be specified. If neither are provided, the generated - resource will be created with default data only. - properties: - name: - description: Name specifies name of the resource. - type: string - namespace: - description: Namespace specifies source resource - namespace. - type: string - type: object - cloneList: - description: CloneList specifies the list of source - resource used to populate each generated resource. - properties: - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - namespace: - description: Namespace specifies source resource - namespace. - type: string - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels`. - wildcard characters are not supported. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - data: - description: |- - Data provides the resource declaration used to populate each generated resource. - At most one of Data or Clone must be specified. If neither are provided, the generated - resource will be created with default data only. - x-kubernetes-preserve-unknown-fields: true - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - orphanDownstreamOnPolicyDelete: - description: |- - OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated - them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. - See https://kyverno.io/docs/writing-policies/generate/#data-examples. - Defaults to "false" if not specified. - type: boolean - synchronize: - description: |- - Synchronize controls if generated resources should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated resources will be overwritten with resource - data from Data or the resource specified in the Clone declaration. - Optional. Defaults to "false" if not specified. - type: boolean - uid: - description: UID specifies the resource uid. - type: string - type: object - imageExtractors: - additionalProperties: - items: - properties: - jmesPath: - description: |- - JMESPath is an optional JMESPath expression to apply to the image value. - This is useful when the extracted image begins with a prefix like 'docker://'. - The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). - Note - Image digest mutation may not be used when applying a JMESPAth to an image. - type: string - key: - description: |- - Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - Note - this field MUST be unique. - type: string - name: - description: |- - Name is the entry the image will be available under 'images.' in the context. - If this field is not defined, image entries will appear under 'images.custom'. - type: string - path: - description: |- - Path is the path to the object containing the image field in a custom resource. - It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - Wildcard keys are expanded in case of arrays or objects. - type: string - value: - description: |- - Value is an optional name of the field within 'path' that points to the image URI. - This is useful when a custom 'key' is also defined. - type: string - required: - - path - type: object - type: array - description: |- - ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - This config is only valid for verifyImages rules. - type: object - match: - description: |- - MatchResources defines when this policy rule should be applied. The match - criteria can include resource information (e.g. kind, name, namespace, labels) - and admission review request information like the user name or role. - At least one kind is required. - properties: - all: - description: All allows specifying resources which will - be ANDed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will - be ORed - items: - description: ResourceFilter allow users to "AND" or - "OR" between resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information - about the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values - ["CREATE, "UPDATE", "CONNECT", "DELETE"], - which are used to match a specific action. - items: - description: AdmissionOperation can have - one of the values CREATE, UPDATE, CONNECT, - DELETE, which are used to match a specific - action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role - names for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. - items: - type: string - type: array - resources: - description: |- - ResourceDescription contains information about the resource being created or modified. - Requires at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match is being deprecated. - Please specify under "any" or "all" instead. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used - to match a specific action. - items: - description: AdmissionOperation can have one of - the values CREATE, UPDATE, CONNECT, DELETE, - which are used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - mutate: - description: Mutation is used to modify matching resources. - properties: - foreach: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachMutation applies mutation rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - order: - description: |- - Order defines the iteration order on the list. - Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. - enum: - - Ascending - - Descending - type: string - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - patchStrategicMerge: - description: |- - PatchStrategicMerge is a strategic merge patch used to modify resources. - See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - x-kubernetes-preserve-unknown-fields: true - patchesJson6902: - description: |- - PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - type: string - targets: - description: Targets defines the target resources to - be mutated. - items: - description: TargetResourceSpec defines targets for - mutating existing resources. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must - be unique within the policy. - maxLength: 63 - type: string - preconditions: - description: |- - Preconditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements is supported for backwards compatibility but - will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/ - x-kubernetes-preserve-unknown-fields: true - skipBackgroundRequests: - default: true - description: |- - SkipBackgroundRequests bypasses admission requests that are sent by the background controller. - The default value is set to "true", it must be set to "false" to apply - generate and mutateExisting rules to those requests. - type: boolean - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - cel: - description: CEL allows validation checks using the - Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). - properties: - auditAnnotations: - description: AuditAnnotations contains CEL expressions - which are used to produce audit annotations for - the audit event of the API request. - items: - description: AuditAnnotation describes how to - produce an audit annotation for an API request. - properties: - key: - description: |- - key specifies the audit annotation key. The audit annotation keys of - a ValidatingAdmissionPolicy must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - - - The key is combined with the resource name of the - ValidatingAdmissionPolicy to construct an audit annotation key: - "{ValidatingAdmissionPolicy name}/{key}". - - - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation key will be identical. - In this case, the first annotation written with the key will be included - in the audit event and all subsequent annotations with the same key - will be discarded. - - - Required. - type: string - valueExpression: - description: |- - valueExpression represents the expression which is evaluated by CEL to - produce an audit annotation value. The expression must evaluate to either - a string or null value. If the expression evaluates to a string, the - audit annotation is included with the string value. If the expression - evaluates to null or empty string the audit annotation will be omitted. - The valueExpression may be no longer than 5kb in length. - If the result of the valueExpression is more than 10kb in length, it - will be truncated to 10kb. - - - If multiple ValidatingAdmissionPolicyBinding resources match an - API request, then the valueExpression will be evaluated for - each binding. All unique values produced by the valueExpressions - will be joined together in a comma-separated list. - - - Required. - type: string - required: - - key - - valueExpression - type: object - type: array - expressions: - description: Expressions is a list of CELExpression - types. - items: - description: Validation specifies the CEL expression - which is used to apply the validation. - properties: - expression: - description: "Expression represents the expression - which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL - expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind.\n- - 'namespaceObject' - The namespace object - that the incoming object belongs to. The - value is null for cluster-scoped resources.\n- - 'variables' - Map of composited variables, - from its name to its lazily evaluated value.\n - \ For example, a variable named 'foo' can - be accessed as 'variables.foo'.\n- 'authorizer' - - A CEL Authorizer. May be used to perform - authorization checks for the principal (user - or service account) of the request.\n See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, - `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly - property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible.\nAccessible property names - are escaped according to the following rules - when accessed in the expression:\n- '__' - escapes to '__underscores__'\n- '.' escapes - to '__dot__'\n- '-' escapes to '__dash__'\n- - '/' escapes to '__slash__'\n- Property names - that exactly match a CEL RESERVED keyword - escape to '__{keyword}__'. The keywords - are:\n\t \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\",\n\t - \ \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\".\nExamples:\n - \ - Expression accessing a property named - \"namespace\": {\"Expression\": \"object.__namespace__ - > 0\"}\n - Expression accessing a property - named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"}\n - Expression accessing a property - named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1].\nConcatenation on - arrays with x-kubernetes-list-type use the - semantics of the list type:\n - 'set': - `X + Y` performs a union where the array - positions of all elements in `X` are preserved - and\n non-intersecting elements in `Y` - are appended, retaining their partial order.\n - \ - 'map': `X + Y` performs a merge where - the array positions of all keys in `X` are - preserved but the values\n are overwritten - by values in `Y` when the key sets of `X` - and `Y` intersect. Elements in `Y` with\n - \ non-intersecting keys are appended, - retaining their partial order.\nRequired." - type: string - message: - description: |- - Message represents the message displayed when validation fails. The message is required if the Expression contains - line breaks. The message must not contain line breaks. - If unset, the message is "failed rule: {Rule}". - e.g. "must be a URL with the host matching spec.host" - If the Expression contains line breaks. Message is required. - The message must not contain line breaks. - If unset, the message is "failed Expression: {Expression}". - type: string - messageExpression: - description: |- - messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. - Since messageExpression is used as a failure message, it must evaluate to a string. - If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. - If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced - as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string - that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and - the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. - messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. - Example: - "object.x must be less than max ("+string(params.max)+")" - type: string - reason: - description: |- - Reason represents a machine-readable description of why this validation failed. - If this is the first validation in the list to fail, this reason, as well as the - corresponding HTTP response code, are used in the - HTTP response to the client. - The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". - If not set, StatusReasonInvalid is used in the response to the client. - type: string - required: - - expression - type: object - type: array - paramKind: - description: ParamKind is a tuple of Group Kind - and Version. - properties: - apiVersion: - description: |- - APIVersion is the API group version the resources belong to. - In format of "group/version". - Required. - type: string - kind: - description: |- - Kind is the API kind the resources belong to. - Required. - type: string - type: object - x-kubernetes-map-type: atomic - paramRef: - description: ParamRef references a parameter resource. - properties: - name: - description: |- - `name` is the name of the resource being referenced. - - - `name` and `selector` are mutually exclusive properties. If one is set, - the other must be unset. - type: string - namespace: - description: |- - namespace is the namespace of the referenced resource. Allows limiting - the search for params to a specific namespace. Applies to both `name` and - `selector` fields. - - - A per-namespace parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field empty. - - - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this - field results in a configuration error. - - - - If `paramKind` is namespace-scoped, the namespace of the object being - evaluated for admission will be used when this field is left unset. Take - care that if this is left empty the binding must not match any cluster-scoped - resources, which will result in an error. - type: string - parameterNotFoundAction: - description: |- - `parameterNotFoundAction` controls the behavior of the binding when the resource - exists, and name or selector is valid, but there are no parameters - matched by the binding. If the value is set to `Allow`, then no - matched parameters will be treated as successful validation by the binding. - If set to `Deny`, then no matched parameters will be subject to the - `failurePolicy` of the policy. - - - Allowed values are `Allow` or `Deny` - Default to `Deny` - type: string - selector: - description: |- - selector can be used to match multiple param objects based on their labels. - Supply selector: {} to match all resources of the ParamKind. - - - If multiple params are found, they are all evaluated with the policy expressions - and the results are ANDed together. - - - One of `name` or `selector` must be set, but `name` and `selector` are - mutually exclusive properties. If one is set, the other must be unset. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - x-kubernetes-map-type: atomic - variables: - description: |- - Variables contain definitions of variables that can be used in composition of other expressions. - Each variable is defined as a named CEL expression. - The variables defined here will be available under `variables` in other expressions of the policy. - items: - description: Variable is the definition of a variable - that is used for composition. - properties: - expression: - description: |- - Expression is the expression that will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers as the CEL expressions in Validation. - type: string - name: - description: |- - Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. - The variable can be accessed in other expressions through `variables` - For example, if name is "foo", the variable will be available as `variables.foo` - type: string - required: - - expression - - name - type: object - type: array - type: object - deny: - description: Deny defines conditions used to pass or - fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - items: - description: ForEachValidation applies validate rules - to a list of sub-elements by creating a context - for each entry in the list and looping over it to - apply the specified logic. - properties: - anyPattern: - description: |- - AnyPattern specifies list of validation patterns. At least one of the patterns - must be satisfied for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - context: - description: Context defines variables and data - sources that can be used during rule execution. - items: - description: |- - ContextEntry adds variables and data sources to a rule Context. Either a - ConfigMap reference or a APILookup must be provided. - properties: - apiCall: - description: |- - APICall is an HTTP request to the Kubernetes API server, or other JSON web service. - The data returned is stored in the context with the name for the context entry. - properties: - data: - description: |- - The data object specifies the POST data sent to the server. - Only applicable when the method field is set to POST. - items: - description: RequestData contains - the HTTP POST data - properties: - key: - description: Key is a unique identifier - for the data value - type: string - value: - description: Value is the data - value - x-kubernetes-preserve-unknown-fields: true - required: - - key - - value - type: object - type: array - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - method: - default: GET - description: Method is the HTTP request - type (GET or POST). - enum: - - GET - - POST - type: string - service: - description: |- - Service is an API call to a JSON web service. - This is used for non-Kubernetes API server calls. - It's mutually exclusive with the URLPath field. - properties: - caBundle: - description: |- - CABundle is a PEM encoded CA bundle which will be used to validate - the server certificate. - type: string - url: - description: |- - URL is the JSON web service URL. A typical form is - `https://{service}.{namespace}:{port}/{path}`. - type: string - required: - - url - type: object - urlPath: - description: |- - URLPath is the URL path to be used in the HTTP GET or POST request to the - Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl get --raw` command. - See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls - for details. - It's mutually exclusive with the Service field. - type: string - type: object - configMap: - description: ConfigMap is the ConfigMap - reference. - properties: - name: - description: Name is the ConfigMap name. - type: string - namespace: - description: Namespace is the ConfigMap - namespace. - type: string - required: - - name - type: object - globalReference: - description: GlobalContextEntryReference - is a reference to a cached global context - entry. - properties: - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the JSON response returned from the server. For example - a JMESPath of "items | length(@)" applied to the API server response - for the URLPath "/apis/apps/v1/deployments" will return the total count - of deployments across all namespaces. - type: string - name: - description: Name of the global context - entry - type: string - type: object - imageRegistry: - description: |- - ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - details. - properties: - imageRegistryCredentials: - description: ImageRegistryCredentials - provides credentials that will be - used for authentication with registry - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry - allows insecure access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential - providers required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - jmesPath: - description: |- - JMESPath is an optional JSON Match Expression that can be used to - transform the ImageData struct returned as a result of processing - the image reference. - type: string - reference: - description: |- - Reference is image reference to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest - type: string - required: - - reference - type: object - name: - description: Name is the variable name. - type: string - variable: - description: Variable defines an arbitrary - JMESPath context variable that can be - defined inline. - properties: - default: - description: |- - Default is an optional arbitrary JSON object that the variable may take if the JMESPath - expression evaluates to nil - x-kubernetes-preserve-unknown-fields: true - jmesPath: - description: |- - JMESPath is an optional JMESPath Expression that can be used to - transform the variable. - type: string - value: - description: Value is any arbitrary - JSON object representable in YAML - or JSON form. - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - deny: - description: Deny defines conditions used to pass - or fail a validation rule. - properties: - conditions: - description: |- - Multiple conditions can be declared under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) is also supported for backwards compatibility - but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - x-kubernetes-preserve-unknown-fields: true - type: object - elementScope: - description: |- - ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used as the validation scope within the foreach - block to allow referencing other elements in the subtree. - type: boolean - foreach: - description: Foreach declares a nested foreach - iterator - x-kubernetes-preserve-unknown-fields: true - list: - description: |- - List specifies a JMESPath expression that results in one or more elements - to which the validation logic is applied. - type: string - pattern: - description: Pattern specifies an overlay-style - pattern used to check resources. - x-kubernetes-preserve-unknown-fields: true - preconditions: - description: |- - AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/ - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context entry - (using JMESPath) for conditional rule - evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - manifests: - description: Manifest specifies conditions for manifest - verification - properties: - annotationDomain: - description: AnnotationDomain is custom domain of - annotation for message and signature. Default - is "cosign.sigstore.dev". - type: string - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more - complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, - is used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and - sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - dryRun: - description: DryRun configuration - properties: - enable: - type: boolean - namespace: - type: string - type: object - ignoreFields: - description: Fields which will be ignored while - comparing manifests. - items: - properties: - fields: - items: - type: string - type: array - objects: - items: - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - version: - type: string - type: object - type: array - type: object - type: array - repository: - description: |- - Repository is an optional alternate OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor or Attestation. - type: string - type: object - message: - description: Message specifies a custom message to be - displayed on failure. - type: string - pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. - x-kubernetes-preserve-unknown-fields: true - podSecurity: - description: |- - PodSecurity applies exemptions for Kubernetes Pod Security admission - by specifying exclusions for Pod Security Standards controls. - properties: - exclude: - description: Exclude specifies the Pod Security - Standard controls to be excluded. - items: - description: PodSecurityStandard specifies the - Pod Security Standard controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values - that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - level: - description: |- - Level defines the Pod Security Standard level to be applied to workloads. - Allowed values are privileged, baseline, and restricted. - enum: - - privileged - - baseline - - restricted - type: string - version: - description: |- - Version defines the Pod Security Standard versions that Kubernetes supports. - Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest. - enum: - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 - - v1.29 - - latest - type: string - type: object - type: object - verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest - items: - description: |- - ImageVerification validates that images that match the specified pattern - are signed with the supplied public key. Once the image is verified it is - mutated to include the SHA digest retrieved during the registration. - properties: - additionalExtensions: - additionalProperties: - type: string - description: Deprecated. - type: object - annotations: - additionalProperties: - type: string - description: Deprecated. Use annotations per Attestor - instead. - type: object - attestations: - description: |- - Attestations are optional checks for signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statement declarations. - items: - description: |- - Attestation are checks for signed in-toto Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - OCI registry and decodes them into a list of Statements. - properties: - attestors: - description: Attestors specify the required - attestors (i.e. authorities). - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested - set of Attestor used to specify - a more complex set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies - one or more certificates. - properties: - cert: - description: Cert is an optional - PEM-encoded public certificate. - type: string - certChain: - description: CertChain is an - optional PEM encoded set of - certificates used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions - used for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the - verified identity used for - keyless signing, for example - the email address. - type: string - type: object - keys: - description: Keys specifies one - or more public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if - set, is used to validate - SCTs against a custom - source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog - skips transparency log - verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the - address of the transparency - log. Defaults to the public - Rekor log instance https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a - Secret resource that contains - a public key - properties: - name: - description: Name of the - secret. The provided secret - must contain a key named - cosign.pub. - type: string - namespace: - description: Namespace name - where the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature - algorithm for public keys. - Supported values are sha224, - sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - conditions: - description: |- - Conditions are used to verify attributes within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there are predicates that match the predicate type. - items: - description: |- - AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one of its sub-conditions passes. - AllConditions get fulfilled only when all of its sub-conditions pass. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass - items: - description: Condition defines variable-based - conditional criteria for rule execution. - properties: - key: - description: Key is the context - entry (using JMESPath) for conditional - rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional - display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - In - - AnyIn - - AllIn - - NotIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - type: array - predicateType: - description: Deprecated in favour of 'Type', - to be removed soon - type: string - type: - description: Type defines the type of attestation - contained within the Statement. - type: string - type: object - type: array - attestors: - description: Attestors specified the required attestors - (i.e. authorities) - items: - properties: - count: - description: |- - Count specifies the required number of entries that must match. If the count is null, all entries must match - (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - value N, then N must be less than or equal to the size of entries, and at least N entries must match. - minimum: 1 - type: integer - entries: - description: |- - Entries contains the available attestors. An attestor can be a static key, - attributes for keyless verification, or a nested attestor declaration. - items: - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations are used for image verification. - Every specified key-value pair must exist and match in the verified payload. - The payload may contain other key-value pairs. - type: object - attestor: - description: Attestor is a nested set - of Attestor used to specify a more complex - set of match authorities. - x-kubernetes-preserve-unknown-fields: true - certificates: - description: Certificates specifies one - or more certificates. - properties: - cert: - description: Cert is an optional PEM-encoded - public certificate. - type: string - certChain: - description: CertChain is an optional - PEM encoded set of certificates - used to verify. - type: string - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - type: object - keyless: - description: |- - Keyless is a set of attribute used to verify a Sigstore keyless attestor. - See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - properties: - additionalExtensions: - additionalProperties: - type: string - description: AdditionalExtensions - are certificate-extensions used - for keyless signing. - type: object - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - issuer: - description: Issuer is the certificate - issuer used for keyless signing. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - roots: - description: |- - Roots is an optional set of PEM encoded trusted root certificates. - If not provided, the system roots are used. - type: string - subject: - description: Subject is the verified - identity used for keyless signing, - for example the email address. - type: string - type: object - keys: - description: Keys specifies one or more - public keys. - properties: - ctlog: - description: |- - CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate - Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. - properties: - ignoreSCT: - description: |- - IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate - timestamp. Default is false. Set to true if this was opted out during signing. - type: boolean - pubkey: - description: PubKey, if set, is - used to validate SCTs against - a custom source. - type: string - type: object - kms: - description: |- - KMS provides the URI to the public key stored in a Key Management System. See: - https://github.com/sigstore/cosign/blob/main/KMS.md - type: string - publicKeys: - description: |- - Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - specified or can be a variable reference to a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying it in the format "k8s:///". - The named Secret must specify a key `cosign.pub` containing the public key used for - verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each key is processed as a separate staticKey entry - (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. - type: string - rekor: - description: |- - Rekor provides configuration for the Rekor transparency log service. If an empty object - is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - properties: - ignoreTlog: - description: IgnoreTlog skips - transparency log verification. - type: boolean - pubkey: - description: |- - RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. - If set, this will be used to validate transparency log signatures from a custom Rekor. - type: string - url: - description: URL is the address - of the transparency log. Defaults - to the public Rekor log instance - https://rekor.sigstore.dev. - type: string - type: object - secret: - description: Reference to a Secret - resource that contains a public - key - properties: - name: - description: Name of the secret. - The provided secret must contain - a key named cosign.pub. - type: string - namespace: - description: Namespace name where - the Secret exists. - type: string - required: - - name - - namespace - type: object - signatureAlgorithm: - default: sha256 - description: Specify signature algorithm - for public keys. Supported values - are sha224, sha256, sha384 and sha512. - type: string - type: object - repository: - description: |- - Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - If specified Repository will override other OCI image repository locations for this Attestor. - type: string - type: object - type: array - type: object - type: array - image: - description: Deprecated. Use ImageReferences instead. - type: string - imageReferences: - description: |- - ImageReferences is a list of matching image reference patterns. At least one pattern in the - list must match the image for the rule to apply. Each image reference consists of a registry - address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - imageRegistryCredentials: - description: ImageRegistryCredentials provides credentials - that will be used for authentication with registry. - properties: - allowInsecureRegistry: - description: AllowInsecureRegistry allows insecure - access to a registry. - type: boolean - providers: - description: |- - Providers specifies a list of OCI Registry names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github. - items: - description: ImageRegistryCredentialsProvidersType - provides the list of credential providers - required. - enum: - - default - - amazon - - azure - - google - - github - type: string - type: array - secrets: - description: |- - Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. - items: - type: string - type: array - type: object - issuer: - description: Deprecated. Use KeylessAttestor instead. - type: string - key: - description: Deprecated. Use StaticKeyAttestor instead. - type: string - mutateDigest: - default: true - description: |- - MutateDigest enables replacement of image tags with digests. - Defaults to true. - type: boolean - repository: - description: |- - Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - If specified Repository will override the default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or Attestation. - type: string - required: - default: true - description: Required validates that images are verified - i.e. have matched passed a signature or attestation - check. - type: boolean - roots: - description: Deprecated. Use KeylessAttestor instead. - type: string - skipImageReferences: - description: |- - SkipImageReferences is a list of matching image reference patterns that should be skipped. - At least one pattern in the list must match the image for the rule to be skipped. Each image reference - consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest). - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - subject: - description: Deprecated. Use KeylessAttestor instead. - type: string - type: - description: |- - Type specifies the method of signature validation. The allowed options - are Cosign and Notary. By default Cosign is used if a type is not specified. - enum: - - Cosign - - Notary - type: string - useCache: - default: true - description: UseCache enables caching of image verify - responses for this rule. - type: boolean - verifyDigest: - default: true - description: VerifyDigest validates that images have - a digest. - type: boolean - type: object - type: array - required: - - name - type: object - type: array - type: object - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - ready: - description: Deprecated in favor of Conditions - type: boolean - rulecount: - description: |- - RuleCountStatus contains four variables which describes counts for - validate, generate, mutate and verify images rules - properties: - generate: - description: Count for generate rules in policy - type: integer - mutate: - description: Count for mutate rules in policy - type: integer - validate: - description: Count for validate rules in policy - type: integer - verifyimages: - description: Count for verify image rules in policy - type: integer - required: - - generate - - mutate - - validate - - verifyimages - type: object - validatingadmissionpolicy: - description: ValidatingAdmissionPolicy contains status information - properties: - generated: - description: Generated indicates whether a validating admission - policy is generated from the policy or not - type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of validating admission policy - It is an empty string when validating admission policy is successfully generated. - type: string - required: - - generated - - message - type: object - required: - - ready - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml deleted file mode 100644 index 4aed7a38..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml +++ /dev/null @@ -1,1887 +0,0 @@ -{{- if .Values.groups.kyverno.policyexceptions }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: policyexceptions.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: PolicyException - listKind: PolicyExceptionList - plural: policyexceptions - shortNames: - - polex - singular: policyexception - scope: Namespaced - versions: - - name: v2 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - background: - description: |- - Background controls if exceptions are applied to existing policies during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean - conditions: - description: |- - Conditions are used to determine if a resource applies to the exception by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: |- - PolicyName identifies the policy to which the exception is applied. - The policy name uses the format / unless it - references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - podSecurity: - description: |- - PodSecurity specifies the Pod Security Standard controls to be excluded. - Applicable only to policies that have validate.podSecurity subrule. - items: - description: PodSecurityStandard specifies the Pod Security Standard - controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: true - storage: false - - name: v2alpha1 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - background: - description: |- - Background controls if exceptions are applied to existing policies during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean - conditions: - description: |- - Conditions are used to determine if a resource applies to the exception by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: |- - PolicyName identifies the policy to which the exception is applied. - The policy name uses the format / unless it - references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - podSecurity: - description: |- - PodSecurity specifies the Pod Security Standard controls to be excluded. - Applicable only to policies that have validate.podSecurity subrule. - items: - description: PodSecurityStandard specifies the Pod Security Standard - controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: false - storage: false - - name: v2beta1 - schema: - openAPIV3Schema: - description: PolicyException declares resources to be excluded from specified - policies. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec declares policy exception behaviors. - properties: - background: - description: |- - Background controls if exceptions are applied to existing policies during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean - conditions: - description: |- - Conditions are used to determine if a resource applies to the exception by evaluating a - set of conditions. The declaration can contain nested `any` or `all` statements. - properties: - all: - description: |- - AllConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, all of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - any: - description: |- - AnyConditions enable variable-based conditional rule execution. This is useful for - finer control of when an rule is applied. A condition can reference object data - using JMESPath notation. - Here, at least one of the conditions need to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) for - conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - message: - description: Message is an optional display message - type: string - operator: - description: |- - Operator is the conditional operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: - description: |- - Value is the conditional value, or set of values. The values can be fixed set - or can be variables declared using JMESPath. - x-kubernetes-preserve-unknown-fields: true - type: object - type: array - type: object - exceptions: - description: Exceptions is a list policy/rules to be excluded - items: - description: Exception stores infos about a policy and rules - properties: - policyName: - description: |- - PolicyName identifies the policy to which the exception is applied. - The policy name uses the format / unless it - references a ClusterPolicy. - type: string - ruleNames: - description: RuleNames identifies the rules to which the exception - is applied. - items: - type: string - type: array - required: - - policyName - - ruleNames - type: object - type: array - match: - description: Match defines match clause used to check if a resource - applies to the exception - properties: - all: - description: All allows specifying resources which will be ANDed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - any: - description: Any allows specifying resources which will be ORed - items: - description: ResourceFilter allow users to "AND" or "OR" between - resources - properties: - clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. - items: - type: string - type: array - resources: - description: ResourceDescription contains information about - the resource being created or modified. - properties: - annotations: - additionalProperties: - type: string - description: |- - Annotations is a map of annotations (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" (matches zero or many characters) and - "?" (matches at least one character). - type: object - kinds: - description: Kinds is a list of resource kinds. - items: - type: string - type: array - name: - description: |- - Name is the name of the resource. The name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names". - type: string - names: - description: |- - Names are the names of the resources. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is a label selector for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - and `?` (matches one character).Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - Namespaces is a list of namespaces names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" (at least one character). - items: - type: string - type: array - operations: - description: Operations can contain values ["CREATE, - "UPDATE", "CONNECT", "DELETE"], which are used to - match a specific action. - items: - description: AdmissionOperation can have one of the - values CREATE, UPDATE, CONNECT, DELETE, which are - used to match a specific action. - enum: - - CREATE - - CONNECT - - UPDATE - - DELETE - type: string - type: array - selector: - description: |- - Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) and `?` (matches one character). - Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - using ["*" : "*"] matches any key and value but does not match an empty label set. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - roles: - description: Roles is the list of namespaced role names - for the user. - items: - type: string - type: array - subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. - items: - description: |- - Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, - or a value for non-objects such as user and group names. - properties: - apiGroup: - description: |- - APIGroup holds the API group of the referenced subject. - Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and Group subjects. - type: string - kind: - description: |- - Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: |- - Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty - the Authorizer should report an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - type: object - type: array - type: object - podSecurity: - description: |- - PodSecurity specifies the Pod Security Standard controls to be excluded. - Applicable only to policies that have validate.podSecurity subrule. - items: - description: PodSecurityStandard specifies the Pod Security Standard - controls to be excluded. - properties: - controlName: - description: |- - ControlName specifies the name of the Pod Security Standard control. - See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - enum: - - HostProcess - - Host Namespaces - - Privileged Containers - - Capabilities - - HostPath Volumes - - Host Ports - - AppArmor - - SELinux - - /proc Mount Type - - Seccomp - - Sysctls - - Volume Types - - Privilege Escalation - - Running as Non-root - - Running as Non-root user - type: string - images: - description: |- - Images selects matching containers and applies the container level PSS. - Each image is the image name consisting of the registry address, repository, image, and tag. - Empty list matches no containers, PSS checks are applied at the pod level only. - Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - items: - type: string - type: array - restrictedField: - description: |- - RestrictedField selects the field for the given Pod Security Standard control. - When not set, all restricted fields for the control are selected. - type: string - values: - description: Values defines the allowed values that can be excluded. - items: - type: string - type: array - required: - - controlName - type: object - type: array - required: - - exceptions - - match - type: object - required: - - spec - type: object - served: true - storage: true -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml deleted file mode 100644 index 0dc5a5eb..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml +++ /dev/null @@ -1,784 +0,0 @@ -{{- if .Values.groups.kyverno.updaterequests }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: updaterequests.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: UpdateRequest - listKind: UpdateRequestList - plural: updaterequests - shortNames: - - ur - singular: updaterequest - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.policy - name: Policy - type: string - - jsonPath: .spec.requestType - name: RuleType - type: string - - jsonPath: .spec.resource.kind - name: ResourceKind - type: string - - jsonPath: .spec.resource.name - name: ResourceName - type: string - - jsonPath: .spec.resource.namespace - name: ResourceNamespace - type: string - - jsonPath: .status.state - name: status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: UpdateRequest is a request to process mutate and generate rules - in background. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ResourceSpec is the information to identify the trigger resource. - properties: - context: - description: Context ... - properties: - admissionRequestInfo: - description: AdmissionRequestInfoObject stores the admission request - and operation details - properties: - admissionRequest: - description: AdmissionRequest describes the admission.Attributes - for the admission request. - properties: - dryRun: - description: |- - DryRun indicates that modifications will definitely not be persisted for this request. - Defaults to false. - type: boolean - kind: - description: Kind is the fully-qualified type of object - being submitted (for example, v1.Pod or autoscaling.v1.Scale) - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - name: - description: |- - Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and - rely on the server to generate the name. If that is the case, this field will contain an empty string. - type: string - namespace: - description: Namespace is the namespace associated with - the request (if any). - type: string - object: - description: Object is the object from the incoming request. - type: object - x-kubernetes-preserve-unknown-fields: true - oldObject: - description: OldObject is the existing object. Only populated - for DELETE and UPDATE requests. - type: object - x-kubernetes-preserve-unknown-fields: true - operation: - description: |- - Operation is the operation being performed. This may be different than the operation - requested. e.g. a patch can result in either a CREATE or UPDATE Operation. - type: string - options: - description: |- - Options is the operation option structure of the operation being performed. - e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be - different than the options the caller provided. e.g. for a patch request the performed - Operation might be a CREATE, in which case the Options will a - `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. - type: object - x-kubernetes-preserve-unknown-fields: true - requestKind: - description: |- - RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). - If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. - - - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of - `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, - an API request to apps/v1beta1 deployments would be converted and sent to the webhook - with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), - and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). - - - See documentation for the "matchPolicy" field in the webhook configuration type for more details. - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - requestResource: - description: |- - RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). - If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. - - - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of - `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, - an API request to apps/v1beta1 deployments would be converted and sent to the webhook - with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), - and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). - - - See documentation for the "matchPolicy" field in the webhook configuration type. - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - requestSubResource: - description: |- - RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") - If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. - See documentation for the "matchPolicy" field in the webhook configuration type. - type: string - resource: - description: Resource is the fully-qualified resource - being requested (for example, v1.pods) - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - subResource: - description: SubResource is the subresource being requested, - if any (for example, "status" or "scale") - type: string - uid: - description: |- - UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are - otherwise identical (parallel requests, requests when earlier requests did not modify etc) - The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. - It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. - type: string - userInfo: - description: UserInfo is information about the requesting - user - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by - the authenticator. - type: object - groups: - description: The names of groups this user is a part - of. - items: - type: string - type: array - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this - user among all active users. - type: string - type: object - required: - - kind - - operation - - resource - - uid - - userInfo - type: object - operation: - description: Operation is the type of resource operation being - checked for admission control - type: string - type: object - userInfo: - description: RequestInfo contains permission info carried in an - admission request. - properties: - clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. - items: - type: string - nullable: true - type: array - roles: - description: Roles is a list of possible role send the request. - items: - type: string - nullable: true - type: array - userInfo: - description: UserInfo is the userInfo carried in the admission - request. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by the - authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user - among all active users. - type: string - type: object - type: object - type: object - deleteDownstream: - description: DeleteDownstream represents whether the downstream needs - to be deleted. - type: boolean - policy: - description: Specifies the name of the policy. - type: string - requestType: - description: Type represents request type for background processing - enum: - - mutate - - generate - type: string - resource: - description: ResourceSpec is the information to identify the trigger - resource. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - rule: - description: Rule is the associate rule name of the current UR. - type: string - synchronize: - description: |- - Synchronize represents the sync behavior of the corresponding rule - Optional. Defaults to "false" if not specified. - type: boolean - required: - - context - - deleteDownstream - - policy - - resource - - rule - type: object - status: - description: Status contains statistics related to update request. - properties: - generatedResources: - description: |- - This will track the resources that are updated by the generate Policy. - Will be used during clean up resources. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - handler: - description: Deprecated - type: string - message: - description: Specifies request status message. - type: string - retryCount: - type: integer - state: - description: State represents state of the update request. - type: string - required: - - state - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.policy - name: Policy - type: string - - jsonPath: .spec.requestType - name: RuleType - type: string - - jsonPath: .spec.resource.kind - name: ResourceKind - type: string - - jsonPath: .spec.resource.name - name: ResourceName - type: string - - jsonPath: .spec.resource.namespace - name: ResourceNamespace - type: string - - jsonPath: .status.state - name: status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v2 - schema: - openAPIV3Schema: - description: UpdateRequest is a request to process mutate and generate rules - in background. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ResourceSpec is the information to identify the trigger resource. - properties: - context: - description: Context ... - properties: - admissionRequestInfo: - description: AdmissionRequestInfoObject stores the admission request - and operation details - properties: - admissionRequest: - description: AdmissionRequest describes the admission.Attributes - for the admission request. - properties: - dryRun: - description: |- - DryRun indicates that modifications will definitely not be persisted for this request. - Defaults to false. - type: boolean - kind: - description: Kind is the fully-qualified type of object - being submitted (for example, v1.Pod or autoscaling.v1.Scale) - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - name: - description: |- - Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and - rely on the server to generate the name. If that is the case, this field will contain an empty string. - type: string - namespace: - description: Namespace is the namespace associated with - the request (if any). - type: string - object: - description: Object is the object from the incoming request. - type: object - x-kubernetes-preserve-unknown-fields: true - oldObject: - description: OldObject is the existing object. Only populated - for DELETE and UPDATE requests. - type: object - x-kubernetes-preserve-unknown-fields: true - operation: - description: |- - Operation is the operation being performed. This may be different than the operation - requested. e.g. a patch can result in either a CREATE or UPDATE Operation. - type: string - options: - description: |- - Options is the operation option structure of the operation being performed. - e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be - different than the options the caller provided. e.g. for a patch request the performed - Operation might be a CREATE, in which case the Options will a - `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. - type: object - x-kubernetes-preserve-unknown-fields: true - requestKind: - description: |- - RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). - If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. - - - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of - `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, - an API request to apps/v1beta1 deployments would be converted and sent to the webhook - with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), - and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). - - - See documentation for the "matchPolicy" field in the webhook configuration type for more details. - properties: - group: - type: string - kind: - type: string - version: - type: string - required: - - group - - kind - - version - type: object - requestResource: - description: |- - RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). - If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. - - - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of - `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, - an API request to apps/v1beta1 deployments would be converted and sent to the webhook - with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), - and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). - - - See documentation for the "matchPolicy" field in the webhook configuration type. - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - requestSubResource: - description: |- - RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") - If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. - See documentation for the "matchPolicy" field in the webhook configuration type. - type: string - resource: - description: Resource is the fully-qualified resource - being requested (for example, v1.pods) - properties: - group: - type: string - resource: - type: string - version: - type: string - required: - - group - - resource - - version - type: object - subResource: - description: SubResource is the subresource being requested, - if any (for example, "status" or "scale") - type: string - uid: - description: |- - UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are - otherwise identical (parallel requests, requests when earlier requests did not modify etc) - The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. - It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. - type: string - userInfo: - description: UserInfo is information about the requesting - user - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by - the authenticator. - type: object - groups: - description: The names of groups this user is a part - of. - items: - type: string - type: array - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this - user among all active users. - type: string - type: object - required: - - kind - - operation - - resource - - uid - - userInfo - type: object - operation: - description: Operation is the type of resource operation being - checked for admission control - type: string - type: object - userInfo: - description: RequestInfo contains permission info carried in an - admission request. - properties: - clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. - items: - type: string - nullable: true - type: array - roles: - description: Roles is a list of possible role send the request. - items: - type: string - nullable: true - type: array - userInfo: - description: UserInfo is the userInfo carried in the admission - request. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by the - authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - uid: - description: |- - A unique value that identifies this user across time. If this user is - deleted and another user by the same name is added, they will have - different UIDs. - type: string - username: - description: The name that uniquely identifies this user - among all active users. - type: string - type: object - type: object - type: object - deleteDownstream: - description: DeleteDownstream represents whether the downstream needs - to be deleted. - type: boolean - policy: - description: Specifies the name of the policy. - type: string - requestType: - description: Type represents request type for background processing - enum: - - mutate - - generate - type: string - resource: - description: ResourceSpec is the information to identify the trigger - resource. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - rule: - description: Rule is the associate rule name of the current UR. - type: string - synchronize: - description: |- - Synchronize represents the sync behavior of the corresponding rule - Optional. Defaults to "false" if not specified. - type: boolean - required: - - context - - deleteDownstream - - policy - - resource - - rule - type: object - status: - description: Status contains statistics related to update request. - properties: - generatedResources: - description: |- - This will track the resources that are updated by the generate Policy. - Will be used during clean up resources. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - uid: - description: UID specifies the resource uid. - type: string - type: object - type: array - message: - description: Specifies request status message. - type: string - retryCount: - type: integer - state: - description: State represents state of the update request. - type: string - required: - - state - type: object - type: object - served: true - storage: false - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml deleted file mode 100644 index 5eec27ab..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml +++ /dev/null @@ -1,357 +0,0 @@ -{{- if .Values.groups.reports.clusterephemeralreports }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: clusterephemeralreports.reports.kyverno.io -spec: - group: reports.kyverno.io - names: - categories: - - kyverno - kind: ClusterEphemeralReport - listKind: ClusterEphemeralReportList - plural: clusterephemeralreports - shortNames: - - cephr - singular: clusterephemeralreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.labels['audit\.kyverno\.io/source'] - name: Source - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group'] - name: Group - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind'] - name: Kind - type: string - - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name'] - name: Owner - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid'] - name: Uid - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports - API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: |- - If true, AND if the owner has the "foregroundDeletion" finalizer, then - the owner cannot be deleted from the key-value store until this - reference is removed. - See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and enforces the foreground deletion. - Defaults to false. - To set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml b/charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml deleted file mode 100644 index da1fd050..00000000 --- a/charts/enterprise-kyverno-operator/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml +++ /dev/null @@ -1,357 +0,0 @@ -{{- if .Values.groups.reports.ephemeralreports }} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.15.0 - name: ephemeralreports.reports.kyverno.io -spec: - group: reports.kyverno.io - names: - categories: - - kyverno - kind: EphemeralReport - listKind: EphemeralReportList - plural: ephemeralreports - shortNames: - - ephr - singular: ephemeralreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.labels['audit\.kyverno\.io/source'] - name: Source - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group'] - name: Group - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind'] - name: Kind - type: string - - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name'] - name: Owner - type: string - - jsonPath: .spec.summary.pass - name: Pass - type: integer - - jsonPath: .spec.summary.fail - name: Fail - type: integer - - jsonPath: .spec.summary.warn - name: Warn - type: integer - - jsonPath: .spec.summary.error - name: Error - type: integer - - jsonPath: .spec.summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid'] - name: Uid - priority: 1 - type: string - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash - priority: 1 - type: string - name: v1 - schema: - openAPIV3Schema: - description: EphemeralReport is the Schema for the EphemeralReports API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - owner: - description: Owner is a reference to the report owner (e.g. a Deployment, - Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: |- - If true, AND if the owner has the "foregroundDeletion" finalizer, then - the owner cannot be deleted from the key-value store until this - reference is removed. - See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and enforces the foreground deletion. - Defaults to false. - To set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - x-kubernetes-map-type: atomic - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for - the policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for - the policy rule - type: object - resourceSelector: - description: |- - SubjectSelector is an optional label selector for checked Kubernetes resources. - For example, a policy result may apply to all pods that match a label. - Either a Subject or a SubjectSelector can be specified. - If neither are provided, the result is assumed to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked - Kubernetes resources - items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule - execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within - the policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: |- - Non-negative fractions of a second at nanosecond resolution. Negative - second values with fractions must still have non-negative nanos values - that count forward in time. Must be from 0 to 999,999,999 - inclusive. This field may be limited in precision depending on context. - format: int32 - type: integer - seconds: - description: |- - Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not - be evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not - selected for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - required: - - owner - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/crds/security.nirmata.io_kyvernoes.yaml b/charts/enterprise-kyverno-operator/crds/security.nirmata.io_kyvernoes.yaml index 11f60235..8d4b359d 100644 --- a/charts/enterprise-kyverno-operator/crds/security.nirmata.io_kyvernoes.yaml +++ b/charts/enterprise-kyverno-operator/crds/security.nirmata.io_kyvernoes.yaml @@ -3,10 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - app.kubernetes.io/part-of: nirmata-kyverno-operator - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.15.0 name: kyvernoconfigs.security.nirmata.io spec: group: security.nirmata.io @@ -14,11 +11,11 @@ spec: kind: KyvernoConfig listKind: KyvernoConfigList plural: kyvernoconfigs - singular: kyvernoconfig shortNames: - kycfg - kyvernocfg - kyvernoconf + singular: kyvernoconfig scope: Namespaced versions: - additionalPrinterColumns: @@ -41,53 +38,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: Kyverno is the Schema for the kyvernoconfigs API + description: KyvernoConfig is the Schema for the kyvernoconfig API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: KyvernoSpec defines the desired state of Kyverno - properties: - apiKey: - type: string - helm: - additionalProperties: - type: object - x-kubernetes-preserve-unknown-fields: true - description: Finer customizations for each component are provided - in a generic object structure, typically matching the value.yaml - of individual components - type: object - licenseKey: - type: string - namespace: - default: kyverno - enum: - - kyverno - type: string - replicas: - default: 1 - format: int32 - type: integer - repository: - default: ghcr.io/nirmata - type: string - secrets: - description: Secrets storing licenseKey, apiKey - type: string - version: - default: v1.10.4-n4k.nirmata.1 - type: string + description: KyvernoConfigSpec defines the desired state of Kyverno type: object status: description: KyvernoStatus defines the observed state of Kyverno @@ -100,37 +71,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -147,6 +118,13 @@ spec: lastUpdated: format: date-time type: string + namespace: + type: string + replicas: + format: int32 + type: integer + version: + type: string required: - isHA - isRunning diff --git a/charts/enterprise-kyverno-operator/templates/_cr-kyverno-helpers.tpl b/charts/enterprise-kyverno-operator/templates/_cr-kyverno-helpers.tpl deleted file mode 100644 index 67b0ed92..00000000 --- a/charts/enterprise-kyverno-operator/templates/_cr-kyverno-helpers.tpl +++ /dev/null @@ -1,161 +0,0 @@ -{{- define "enterprise-kyverno.kyveroDefaultHelm" -}} -content: - config: - webhooks: - #Exclude namespaces - - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - {{- $excludedNamespaces := include "kyverno.excludedNamespaces" . | fromJsonArray }} - {{- range $excludedNamespaces}} - - {{.}} - {{- end }} - {{- if eq .Values.cloudPlatform "aks" }} - webhookAnnotations: - 'admissions.enforcer/disabled': 'true' - {{- end}} - - {{- if eq .Values.cloudPlatform "openshift" }} - securityContext: NULLOBJ - {{- end}} - - - {{- if eq .Values.cloudPlatform "eks" }} - hostNetwork: true - {{- end }} - - {{- if eq .Values.kyverno.enablePolicyExceptions true }} - features: - policyExceptions: - enabled: true - namespace: {{ include "kyverno.namespace" . }} - {{- end }} - - {{- if .Values.kyverno.helm }} - {{- toYaml .Values.kyverno.helm | nindent 6 }} - {{- end}} - customLabels: -{{- if .Values.globalLabels }} -{{- toYaml .Values.globalLabels | nindent 8 }} -{{- end}} - customAnnotations: -{{- if .Values.globalAnnotations }} -{{- toYaml .Values.globalAnnotations | nindent 8 }} -{{- end}} - admissionController: - podLabels: -{{- if .Values.globalLabels }} -{{- toYaml .Values.globalLabels | nindent 10 }} -{{- end}} - podAnnotations: -{{- if .Values.globalAnnotations }} -{{- toYaml .Values.globalAnnotations | nindent 10 }} -{{- end}} - container: - image: - tag: {{ .Values.kyverno.image.tag }} - initContainer: - image: - tag: {{ .Values.kyverno.image.tag }} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets.name }} - backgroundController: - podLabels: -{{- if .Values.globalLabels }} -{{- toYaml .Values.globalLabels | nindent 10 }} -{{- end}} - podAnnotations: -{{- if .Values.globalAnnotations }} -{{- toYaml .Values.globalAnnotations | nindent 10 }} -{{- end}} - image: - tag: {{ .Values.kyverno.image.tag }} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets.name }} - cleanupController: - podLabels: -{{- if .Values.globalLabels }} -{{- toYaml .Values.globalLabels | nindent 10 }} -{{- end}} - podAnnotations: -{{- if .Values.globalAnnotations }} -{{- toYaml .Values.globalAnnotations | nindent 10 }} -{{- end}} - image: - tag: {{ .Values.kyverno.image.tag }} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets.name }} - reportsController: - podLabels: -{{- if .Values.globalLabels }} -{{- toYaml .Values.globalLabels | nindent 10 }} -{{- end}} - podAnnotations: -{{- if .Values.globalAnnotations }} -{{- toYaml .Values.globalAnnotations | nindent 10 }} -{{- end}} - image: - tag: {{ .Values.kyverno.image.tag }} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets.name }} - clusterAdmissionReports: - podLabels: -{{- if .Values.globalLabels }} -{{- toYaml .Values.globalLabels | nindent 10 }} -{{- end}} - podAnnotations: -{{- if .Values.globalAnnotations }} -{{- toYaml .Values.globalAnnotations | nindent 10 }} -{{- end}} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets.name }} - cleanupJobs: - admissionReports: - podLabels: - {{- if .Values.globalLabels }} - {{- toYaml .Values.globalLabels | nindent 12 }} - {{- end}} - podAnnotations: - {{- if .Values.globalAnnotations }} - {{- toYaml .Values.globalAnnotations | nindent 12 }} - {{- end}} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets.name }} - image: - registry: {{.Values.kyverno.cleanupJobsRegistry}} - clusterAdmissionReports: - podLabels: - {{- if .Values.globalLabels }} - {{- toYaml .Values.globalLabels | nindent 12 }} - {{- end}} - podAnnotations: - {{- if .Values.globalAnnotations }} - {{- toYaml .Values.globalAnnotations | nindent 12 }} - {{- end}} - imagePullSecrets: - - name: {{ .Values.image.pullSecrets.name }} - image: - registry: {{.Values.kyverno.cleanupJobsRegistry}} - {{- if .Values.image.pullSecrets.create }} - imagePullSecrets: - image-pull-secret: - registry: {{.Values.image.pullSecrets.registry}} - username: {{.Values.image.pullSecrets.username}} - password: {{.Values.image.pullSecrets.password}} - {{- end}} - licenseManager: - imageRepository: {{ .Values.kyverno.image.repository }}/nirmata/kyverno-license-manager - imageTag: "v0.1.3" - productName: "" -{{- end -}} - -{{- define "enterprise-kyverno.combinedKyveroHelm" }} - -{{- if .Values.kyverno.helm }} -{{- (merge .Values.kyverno.helm (include "enterprise-kyverno.kyveroDefaultHelm" . | fromYaml).content) | toYaml -}} -{{- else -}} -{{- (include "enterprise-kyverno.kyveroDefaultHelm" . | fromYaml).content | toYaml -}} -{{- end}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/crds/aws-adapter-config-crd.yaml b/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/crds/aws-adapter-config-crd.yaml deleted file mode 100644 index 7f150f71..00000000 --- a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/crds/aws-adapter-config-crd.yaml +++ /dev/null @@ -1,411 +0,0 @@ -{{- if and (eq .Values.awsAdapter.rbac.create true) (not .Values.rbac.operatorHasAdminPerms ) }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: awsadapterconfigs.security.nirmata.io -spec: - group: security.nirmata.io - names: - kind: AWSAdapterConfig - listKind: AWSAdapterConfigList - plural: awsadapterconfigs - shortNames: - - awsacfg - singular: awsadapterconfig - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.name - name: Cluster Name - type: string - - jsonPath: .spec.region - name: Region - type: string - - jsonPath: .status.eksCluster.status - name: Cluster Status - type: string - - jsonPath: .status.eksCluster.kubernetesVersion - name: Kubernetes Version - type: string - - jsonPath: .status.lastPollInfo.status - name: Last Polled Status - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: AWSAdapterConfig is the Schema for the awsadapterconfigs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AWSAdapterConfigSpec defines the desired state of AWSAdapterConfig - properties: - name: - description: EKS cluster's name - type: string - region: - description: EKS cluster's region - type: string - required: - - name - - region - type: object - status: - description: AWSAdapterConfigStatus defines the observed state of AWSAdapterConfig - properties: - accountData: - description: AccountData contains the AWS Account details - properties: - id: - type: string - inspectorEnabledEC2: - type: boolean - inspectorEnabledECR: - type: boolean - type: object - ecrRepositories: - items: - description: ECRRepository contains container repository details - properties: - imageTagMutable: - type: boolean - repositoryName: - type: string - repositoryUri: - type: string - type: object - type: array - eksCluster: - description: 'EKS cluster details fetched from AWS For details of - individual fields, refer to AWS SDK docs: https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/eks@v1.22.1/types#Cluster' - properties: - addons: - items: - type: string - type: array - arn: - type: string - certificate: - type: string - compute: - description: EKSCompute contains node groups and fargate profiles - of the EKS cluster - properties: - fargateProfiles: - items: - type: string - type: array - nodeGroups: - items: - description: EKSNodeGroup contains info of the EKS cluster's - node group - properties: - amazonMachineImage: - properties: - architecture: - type: string - creationTime: - type: string - deprecationTime: - type: string - id: - type: string - instanceType: - type: string - location: - type: string - name: - type: string - ownerId: - type: string - platformDetails: - type: string - public: - type: boolean - state: - type: string - type: - type: string - type: object - amiReleaseVersion: - type: string - amiType: - type: string - capacityType: - type: string - createdAt: - type: string - diskSize: - format: int32 - type: integer - healthIssues: - items: - description: EKSNodeGroupHealthIssue contains info - of any health issue in the EKS cluster's node group - properties: - code: - type: string - message: - type: string - resourceIDs: - items: - type: string - type: array - type: object - type: array - labels: - additionalProperties: - type: string - type: object - launchTemplate: - description: EC2LaunchTemplate contains launch template - info the EKS cluster's node group - properties: - id: - type: string - name: - type: string - version: - type: string - type: object - name: - type: string - nodeGroupArn: - type: string - nodeRole: - type: string - remoteAccessConfig: - description: EKSNodeGroupRemoteAccessConfig contains - remote access configuration of the EKS cluster's node - group - properties: - ec2SSHKey: - type: string - sourceSecurityGroups: - items: - type: string - type: array - type: object - resources: - description: EKSNodeGroupResources contains info of - ASG and remote access SG for node group - properties: - autoScalingGroups: - items: - type: string - type: array - remoteAccessSecurityGroup: - type: string - type: object - scalingConfig: - description: EKSNodeGroupScalingConfig contains scaling - configuration of the EKS cluster's node group - properties: - desiredSize: - format: int32 - type: integer - maxSize: - format: int32 - type: integer - minSize: - format: int32 - type: integer - type: object - status: - type: string - subnets: - items: - type: string - type: array - tags: - additionalProperties: - type: string - type: object - taints: - items: - description: EKSNodeGroupTaint contains info of taints - in the EKS cluster's node group - properties: - effect: - type: string - key: - type: string - value: - type: string - type: object - type: array - updateConfig: - description: EKSNodeGroupUpdateConfig contains number/percentage - of node groups that can be updated in parallel - properties: - maxUnavailable: - format: int32 - type: integer - maxUnavailablePercentage: - format: int32 - type: integer - type: object - type: object - type: array - reservations: - items: - properties: - instances: - items: - properties: - httpPutResponseHopLimit: - format: int32 - type: integer - publicDnsName: - type: string - type: object - type: array - type: object - type: array - type: object - createdAt: - type: string - encryptionConfig: - items: - description: EKSEncryptionConfig contains encryption configuration - of the EKS cluster - properties: - keyARN: - type: string - resources: - items: - type: string - type: array - type: object - type: array - endpoint: - type: string - id: - type: string - identityProviderConfigs: - items: - type: string - type: array - kubernetesVersion: - type: string - logging: - description: EKSLogging contains info of which logs are enabled - properties: - apiServer: - type: boolean - audit: - type: boolean - authenticator: - type: boolean - controllerManager: - type: boolean - scheduler: - type: boolean - type: object - name: - type: string - networking: - description: EKSNetworking contains networking configuration of - the EKS cluster - properties: - ipFamily: - type: string - serviceIPv4CIDR: - type: string - serviceIPv6CIDR: - type: string - vpc: - description: EKSVpcConfig contains VPC configuration of the - EKS cluster - properties: - clusterSecurityGroupID: - type: string - endpointPrivateAccess: - type: boolean - endpointPublicAccess: - type: boolean - flowLogsEnabled: - type: boolean - publicAccessCIDRs: - items: - type: string - type: array - securityGroupIDs: - items: - type: string - type: array - subnetIDs: - items: - type: string - type: array - vpcID: - type: string - type: object - type: object - oidcProvider: - type: string - platformVersion: - type: string - region: - type: string - roleArn: - type: string - status: - type: string - tags: - additionalProperties: - type: string - type: object - required: - - name - - region - - status - type: object - lastPollInfo: - description: Information on when the adapter last tried to fetch the - EKS cluster details - properties: - failure: - description: PollFailure contains the Error and relevant Message - if got Failure in last poll - properties: - error: - type: string - message: - type: string - required: - - error - - message - type: object - status: - type: string - timestamp: - format: date-time - type: string - type: object - lastUpdatedTimestamp: - description: Timestamp when the Status was last updated - format: date-time - type: string - required: - - lastPollInfo - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/aws-adapter.yaml b/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/aws-adapter.yaml deleted file mode 100644 index 67598ca0..00000000 --- a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/aws-adapter.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.awsAdapter.rbac.create }} -apiVersion: v1 -kind: Namespace -metadata: - name: {{ include "kyverno-aws-adapter.namespace" . }} -{{- end}} diff --git a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/rolebindings.yaml b/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/rolebindings.yaml deleted file mode 100644 index cb60c7ba..00000000 --- a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/rolebindings.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.awsAdapter.rbac.create }} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno-aws-adapter.name" . }}-installer - namespace: {{ include "kyverno-aws-adapter.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "kyverno-aws-adapter.name" . }}-installer -subjects: -- kind: ServiceAccount - name: {{ template "enterprise-kyverno.rbac.serviceAccountName" . }} - namespace: {{ template "enterprise-kyverno.namespace" . }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/roles.yaml b/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/roles.yaml deleted file mode 100644 index 97ddb30e..00000000 --- a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/namespace/roles.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.awsAdapter.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ include "kyverno-aws-adapter.namespace" . }} - name: {{ include "kyverno-aws-adapter.name" . }}-installer -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] -{{- end}} diff --git a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/_helpers.tpl deleted file mode 100644 index 6ed9a08b..00000000 --- a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "kyverno-aws-adapter.name" -}} -{{- default "kyverno-aws-adapter" .Values.awsAdapter.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "kyverno-aws-adapter.fullname" -}} -{{- if .Values.awsAdapter.fullnameOverride }} -{{- .Values.awsAdapter.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default "kyverno-aws-adapter" .Values.awsAdapter.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "kyverno-aws-adapter.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* Create the name of the service account to use */}} -{{- define "kyverno-aws-adapter.serviceAccountName" -}} -{{- if .Values.awsAdapter.rbac.create -}} - {{ default (include "kyverno-aws-adapter.fullname" .) .Values.awsAdapter.rbac.serviceAccount.name }} -{{- else -}} - {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.awsAdapter.rbac.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "kyverno-aws-adapter.labels" -}} -helm.sh/chart: {{ include "kyverno-aws-adapter.chart" . }} -{{ include "kyverno-aws-adapter.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "kyverno-aws-adapter.selectorLabels" -}} -app.kubernetes.io/name: {{ include "kyverno-aws-adapter.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{- define "kyverno-aws-adapter.image" -}} -{{ printf "%s:%s" (required "An image repository is required" .Values.awsAdapter.image.repository) (default .Chart.AppVersion .Values.awsAdapter.image.tag) }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/rbac.yaml b/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/rbac.yaml deleted file mode 100644 index f70b6b6c..00000000 --- a/charts/enterprise-kyverno-operator/templates/aws-adapter-0.3/rbac/rbac.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if and (eq .Values.awsAdapter.rbac.create true) (not .Values.rbac.operatorHasAdminPerms) }} -# permissions for end users to edit awsadapterconfigs. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "kyverno-aws-adapter.fullname" . }} - labels: - {{- include "kyverno-aws-adapter.labels" . | nindent 4 }} -rules: -- apiGroups: - - security.nirmata.io - resources: - - awsadapterconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - security.nirmata.io - resources: - - awsadapterconfigs/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - security.nirmata.io - resources: - - awsadapterconfigs/finalizers - verbs: - - update ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "kyverno-aws-adapter.serviceAccountName" . }} - namespace: {{ include "kyverno-aws-adapter.namespace" . }} - labels: - {{- include "kyverno-aws-adapter.labels" . | nindent 4 }} - annotations: - eks.amazonaws.com/role-arn: {{ required "awsAdapter.roleArn is required" .Values.awsAdapter.roleArn }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "kyverno-aws-adapter.fullname" . }} - labels: - {{- include "kyverno-aws-adapter.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "kyverno-aws-adapter.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ include "kyverno-aws-adapter.serviceAccountName" . }} - namespace: {{ include "kyverno-aws-adapter.namespace" . }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/cis-adapter.yaml b/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/cis-adapter.yaml deleted file mode 100644 index 27c81506..00000000 --- a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/cis-adapter.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if .Values.cisAdapter.rbac.create }} -apiVersion: v1 -kind: Namespace -metadata: - labels: - {{- include "kube-bench.labels" . | nindent 4 }} - name: {{ include "kube-bench.namespace" . }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/rolebindings.yaml b/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/rolebindings.yaml deleted file mode 100644 index 427efca7..00000000 --- a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/rolebindings.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.cisAdapter.rbac.create }} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kube-bench.name" . }}-installer - namespace: {{ include "kube-bench.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "kube-bench.name" . }}-installer -subjects: -- kind: ServiceAccount - name: {{ template "enterprise-kyverno.rbac.serviceAccountName" . }} - namespace: {{ template "enterprise-kyverno.namespace" . }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/roles.yaml b/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/roles.yaml deleted file mode 100644 index 2c7719e2..00000000 --- a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/namespace/namespace/roles.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.cisAdapter.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ include "kube-bench.namespace" . }} - name: {{ include "kube-bench.name" . }}-installer -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/_helpers.tpl deleted file mode 100644 index d8c08614..00000000 --- a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/_helpers.tpl +++ /dev/null @@ -1,70 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "kube-bench.name" -}} -{{- default "cis-adapter" .Values.cisAdapter.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "kube-bench.fullname" -}} -{{- if .Values.cisAdapter.fullnameOverride }} -{{- .Values.cisAdapter.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default "cis-adapter" .Values.cisAdapter.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "kube-bench.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "kube-bench.labels" -}} -app.kubernetes.io/instance: nirmata -app.kubernetes.io/name: nirmata -helm.sh/chart: {{ include "kube-bench.chart" . }} -{{ include "kube-bench.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* matchLabels */}} -{{- define "kube-bench.matchLabels" -}} -app.kubernetes.io/name: nirmata -app.kubernetes.io/instance: nirmata -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "kube-bench.selectorLabels" -}} -app.kubernetes.io/name: {{ include "kube-bench.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "kube-bench.serviceAccountName" -}} -{{- if .Values.cisAdapter.serviceAccount.create }} -{{- default (include "kube-bench.fullname" .) .Values.cisAdapter.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.cisAdapter.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/rb.yaml b/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/rb.yaml deleted file mode 100644 index 5b9c2cf1..00000000 --- a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/rb.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.cisAdapter.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "kube-bench.fullname" . }} - labels: - {{- include "kube-bench.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ include "kube-bench.fullname" . }} # Name of the ServiceAccount - namespace: {{.Values.cisAdapter.namespace}} -roleRef: - kind: ClusterRole # This must be Role or ClusterRole - name: {{ include "kube-bench.fullname" . }} # This must match the name of the Role or ClusterRole you wish to bind to - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/role.yaml b/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/role.yaml deleted file mode 100644 index 16046d44..00000000 --- a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.cisAdapter.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "kube-bench.fullname" . }} - labels: - {{- include "kube-bench.labels" . | nindent 4 }} -rules: -- apiGroups: [""] # "" indicates the core API group - resources: ["pods","pods/log"] - verbs: ["get", "list", "watch", "delete"] -- apiGroups: ["batch", "extensions"] - resources: ["jobs"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["wgpolicyk8s.io"] - resources: ["policyreports", "clusterpolicyreports"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/serviceaccount.yaml b/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/serviceaccount.yaml deleted file mode 100644 index 94f8bea8..00000000 --- a/charts/enterprise-kyverno-operator/templates/cis-adapter-1.2/rbac/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.cisAdapter.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "kube-bench.serviceAccountName" . }} - labels: - {{- include "kube-bench.labels" . | nindent 4 }} - {{- with .Values.cisAdapter.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - namespace : {{.Values.cisAdapter.namespace}} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cr-aws-adapter.yaml b/charts/enterprise-kyverno-operator/templates/cr-aws-adapter.yaml deleted file mode 100644 index f88b68fe..00000000 --- a/charts/enterprise-kyverno-operator/templates/cr-aws-adapter.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.awsAdapter.createCR }} -apiVersion: security.nirmata.io/v1alpha1 -kind: KyvernoAdapter -metadata: - annotations: - labels: - {{- include "enterprise-kyverno.labels" . | nindent 4 }} - {{- if .Values.globalLabels }} - {{- toYaml .Values.globalLabels| nindent 4 }} - {{- end }} - annotations: - {{- if .Values.globalAnnotations }} - {{- toYaml .Values.globalAnnotations | nindent 4 }} - {{- end }} - name: aws-adapter-config - namespace: {{ template "enterprise-kyverno.namespace" . }} -spec: - adapterType: AWS - namespace: {{ include "kyverno-aws-adapter.namespace" . }} - repository: {{ .Values.awsAdapter.image.repository }} - version: {{ .Values.awsAdapter.image.tag }} - replicas: {{ .Values.awsAdapter.replicas }} - - helm: - values: - eksCluster: - name: {{ required "awsAdapter.eksCluster.name is required" .Values.awsAdapter.eksCluster.name }} - region: {{ required "awsAdapter.eksCluster.region is required" .Values.awsAdapter.eksCluster.region }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cr-cis-adapter.yaml b/charts/enterprise-kyverno-operator/templates/cr-cis-adapter.yaml deleted file mode 100644 index c9111b42..00000000 --- a/charts/enterprise-kyverno-operator/templates/cr-cis-adapter.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.cisAdapter.createCR }} -apiVersion: security.nirmata.io/v1alpha1 -kind: KyvernoAdapter -metadata: - annotations: - labels: - {{- include "enterprise-kyverno.labels" . | nindent 4 }} - {{- if .Values.globalLabels }} - {{- toYaml .Values.globalLabels| nindent 4 }} - {{- end }} - annotations: - {{- if .Values.globalAnnotations }} - {{- toYaml .Values.globalAnnotations | nindent 4 }} - {{- end }} - name: cis-adapter-config - namespace: {{ template "enterprise-kyverno.namespace" . }} -spec: - adapterType: CIS - namespace: {{ include "kube-bench.namespace" . }} - repository: {{ .Values.cisAdapter.image.repository }} - version: {{ .Values.cisAdapter.image.tag }} - replicas: {{ .Values.cisAdapter.replicas }} - - helm: - values: - {{- toYaml .Values.cisAdapter.helm | nindent 6 }} - fullnameOverride: {{ .Values.cisAdapter.fullnameOverride }} - nameOverride: {{ .Values.cisAdapter.nameOverride }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cr-image-scan-adapter.yaml b/charts/enterprise-kyverno-operator/templates/cr-image-scan-adapter.yaml deleted file mode 100644 index 84510a9b..00000000 --- a/charts/enterprise-kyverno-operator/templates/cr-image-scan-adapter.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.imageScanAdapter.createCR }} -apiVersion: security.nirmata.io/v1alpha1 -kind: KyvernoAdapter -metadata: - annotations: - labels: - {{- include "enterprise-kyverno.labels" . | nindent 4 }} - {{- if .Values.globalLabels }} - {{- toYaml .Values.globalLabels| nindent 4 }} - {{- end }} - annotations: - {{- if .Values.globalAnnotations }} - {{- toYaml .Values.globalAnnotations | nindent 4 }} - {{- end }} - name: image-scan-adapter-config - namespace: {{ template "enterprise-kyverno.namespace" . }} -spec: - adapterType: Vulnerability - namespace: {{ include "image-scan-adapter.namespace" . }} - repository: {{ .Values.imageScanAdapter.image.repository }} - version: {{ .Values.imageScanAdapter.image.tag }} - replicas: {{ .Values.imageScanAdapter.replicas }} - - helm: - values: - scanAll: true -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/cr-kyverno.yaml b/charts/enterprise-kyverno-operator/templates/cr-kyverno.yaml index ac3b3209..d42338be 100644 --- a/charts/enterprise-kyverno-operator/templates/cr-kyverno.yaml +++ b/charts/enterprise-kyverno-operator/templates/cr-kyverno.yaml @@ -6,17 +6,8 @@ metadata: {{- if .Values.globalAnnotations }} {{- toYaml .Values.globalAnnotations | nindent 4 }} {{- end }} - labels: - {{- include "enterprise-kyverno.labels" . | nindent 4 }} name: kyverno namespace: {{ template "enterprise-kyverno.namespace" . }} -spec: - namespace: {{ include "kyverno.namespace" . }} - repository: {{ .Values.kyverno.image.repository }} - version: {{ .Values.kyverno.image.tag }} - replicas: {{ include "enterprise-kyverno.kyvernoReplicas" . }} +spec: {} - helm: - values: - {{- include "enterprise-kyverno.combinedKyveroHelm" . | nindent 6 }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/enterprise-kyverno-operator/templates/crds-common/policyReports.yaml b/charts/enterprise-kyverno-operator/templates/crds-common/policyReports.yaml deleted file mode 100644 index 5cbddebd..00000000 --- a/charts/enterprise-kyverno-operator/templates/crds-common/policyReports.yaml +++ /dev/null @@ -1,728 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - name: clusterpolicyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: ClusterPolicyReport - listKind: ClusterPolicyReportList - plural: clusterpolicyreports - shortNames: - - cpolr - singular: clusterpolicyreport - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - type: string - - jsonPath: .scope.name - name: Name - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - {{- include "kyverno.crds.labels" . | nindent 4 }} - name: policyreports.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - names: - kind: PolicyReport - listKind: PolicyReportList - plural: policyreports - shortNames: - - polr - singular: policyreport - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .scope.kind - name: Kind - type: string - - jsonPath: .scope.name - name: Name - type: string - - jsonPath: .summary.pass - name: Pass - type: integer - - jsonPath: .summary.fail - name: Fail - type: integer - - jsonPath: .summary.warn - name: Warn - type: integer - - jsonPath: .summary.error - name: Error - type: integer - - jsonPath: .summary.skip - name: Skip - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: PolicyReport is the Schema for the policyreports API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - results: - description: PolicyReportResult provides result details - items: - description: PolicyReportResult provides the result for an individual - policy - properties: - category: - description: Category indicates policy category - type: string - message: - description: Description is a short user friendly message for the - policy rule - type: string - policy: - description: Policy is the name or identifier of the policy - type: string - properties: - additionalProperties: - type: string - description: Properties provides additional information for the - policy rule - type: object - resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - resources: - description: Subjects is an optional reference to the checked Kubernetes - resources - items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - type: array - result: - description: Result indicates the outcome of the policy rule execution - enum: - - pass - - fail - - warn - - error - - skip - type: string - rule: - description: Rule is the name or identifier of the rule within the - policy - type: string - scored: - description: Scored indicates if this result is scored - type: boolean - severity: - description: Severity indicates policy check result criticality - enum: - - critical - - high - - low - - medium - - info - type: string - source: - description: Source is an identifier for the policy engine that - manages this report - type: string - timestamp: - description: Timestamp indicates the time the result was found - properties: - nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. - format: int32 - type: integer - seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. - format: int64 - type: integer - required: - - nanos - - seconds - type: object - required: - - policy - type: object - type: array - scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - summary: - description: PolicyReportSummary provides a summary of results - properties: - error: - description: Error provides the count of policies that could not be - evaluated - type: integer - fail: - description: Fail provides the count of policies whose requirements - were not met - type: integer - pass: - description: Pass provides the count of policies whose requirements - were met - type: integer - skip: - description: Skip indicates the count of policies that were not selected - for evaluation - type: integer - warn: - description: Warn provides the count of non-scored policies whose - requirements were not met - type: integer - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/enterprise-kyverno-operator/templates/deployment.yaml b/charts/enterprise-kyverno-operator/templates/deployment.yaml index 10e05060..5f925ded 100644 --- a/charts/enterprise-kyverno-operator/templates/deployment.yaml +++ b/charts/enterprise-kyverno-operator/templates/deployment.yaml @@ -63,6 +63,9 @@ spec: args: - --profile={{- .Values.profile | default "prod" }} - --enable-webhook={{- .Values.enableWebhook | default false}} + - --enable-policyset={{- .Values.enablePolicyset | default false}} + - --kyverno-deployment={{- .Values.kyvernoDeployment | default "kyverno-admission-controller"}} + - --kyverno-namespace={{- .Values.kyvernoNamespace | default "kyverno"}} - --install-rbac={{- .Values.rbac.operatorHasAdminPerms | default false }} - --manage-certs={{- include "enterprise-kyverno.managecerts" . }} - --prevent-policy-tamper={{- include "enterprise-kyverno.preventPolicyTamper" . }} diff --git a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/crds/security.nirmata.io_imagescanadapterconfigs.yaml b/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/crds/security.nirmata.io_imagescanadapterconfigs.yaml deleted file mode 100644 index 2637d92f..00000000 --- a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/crds/security.nirmata.io_imagescanadapterconfigs.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{- if and (eq .Values.imageScanAdapter.rbac.create true) (not .Values.rbac.operatorHasAdminPerms ) }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null - name: imagescanadapterconfigs.security.nirmata.io -spec: - group: security.nirmata.io - names: - kind: ImageScanAdapterConfig - listKind: ImageScanAdapterConfigList - plural: imagescanadapterconfigs - shortNames: - - isacfg - singular: imagescanadapterconfig - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.scannerEngine - name: Scanner Engine - type: string - - jsonPath: .status.result - name: Result - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ImageScanAdapterConfig is the Schema for the imagescanadapterconfigs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImageScanAdapterConfigSpec defines the desired state of ImageScanAdapterConfig - properties: - outputFormat: - type: string - policyReportPrefix: - type: string - scanAll: - type: boolean - scanInterval: - type: string - scannerEngine: - type: string - selectors: - properties: - namespaces: - items: - type: string - type: array - type: object - severity: - items: - type: string - type: array - type: object - status: - description: ImageScanAdapterConfigStatus defines the observed state of - ImageScanAdapterConfig - properties: - lastRunEndTime: - format: date-time - type: string - lastRunStartTime: - format: date-time - type: string - lastRunStats: - properties: - imagesScanned: - format: int64 - type: integer - type: object - message: - type: string - result: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/image-scan-adapter.yaml b/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/image-scan-adapter.yaml deleted file mode 100644 index 48b0af6f..00000000 --- a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/image-scan-adapter.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.imageScanAdapter.rbac.create }} -apiVersion: v1 -kind: Namespace -metadata: - name: {{ include "image-scan-adapter.namespace" . }} -{{- end}} diff --git a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/rolebindings.yaml b/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/rolebindings.yaml deleted file mode 100644 index fac6c0e6..00000000 --- a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/rolebindings.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.imageScanAdapter.rbac.create }} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "image-scan-adapter.name" . }}-installer - namespace: {{ include "image-scan-adapter.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "image-scan-adapter.name" . }}-installer -subjects: -- kind: ServiceAccount - name: {{ template "enterprise-kyverno.rbac.serviceAccountName" . }} - namespace: {{ template "enterprise-kyverno.namespace" . }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/roles.yaml b/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/roles.yaml deleted file mode 100644 index d94dff6f..00000000 --- a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/namespace/roles.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.imageScanAdapter.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ include "image-scan-adapter.namespace" . }} - name: {{ include "image-scan-adapter.name" . }}-installer -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] -{{- end}} diff --git a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/_helpers.tpl deleted file mode 100644 index c023427e..00000000 --- a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "image-scan-adapter.name" -}} -{{- default "image-scan-adapter" .Values.imageScanAdapter.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "image-scan-adapter.fullname" -}} -{{- if .Values.imageScanAdapter.fullnameOverride }} -{{- .Values.imageScanAdapter.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default "image-scan-adapter" .Values.imageScanAdapter.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "image-scan-adapter.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "image-scan-adapter.labels" -}} -helm.sh/chart: {{ include "image-scan-adapter.chart" . }} -{{ include "image-scan-adapter.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "image-scan-adapter.selectorLabels" -}} -app.kubernetes.io/name: {{ include "image-scan-adapter.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* Create the name of the service account to use */}} -{{- define "image-scan-adapter.serviceAccountName" -}} -{{- if .Values.imageScanAdapter.rbac.create -}} - {{ default (include "image-scan-adapter.fullname" .) .Values.imageScanAdapter.rbac.serviceAccount.name }} -{{- else -}} - {{- default "default" .Values.imageScanAdapter.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{- define "image-scan-adapter.image" -}} -{{ printf "%s:%s" (required "An image repository is required" .Values.imageScanAdapter.image.repository) (default .Chart.AppVersion .Values.imageScanAdapter.image.tag) }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/rbac.yaml b/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/rbac.yaml deleted file mode 100644 index b3b98f93..00000000 --- a/charts/enterprise-kyverno-operator/templates/image-scan-adapter-0.1/rbac/rbac.yaml +++ /dev/null @@ -1,151 +0,0 @@ -{{- if and (eq .Values.imageScanAdapter.rbac.create true) (not .Values.rbac.operatorHasAdminPerms) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "image-scan-adapter.fullname" . }} - labels: - {{- include "image-scan-adapter.labels" . | nindent 4 }} -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get -- apiGroups: - - apps - resources: - - deployments - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get -- apiGroups: - - batch - resources: - - cronjobs - verbs: - - get -- apiGroups: - - batch - resources: - - jobs - verbs: - - get -- apiGroups: - - kyverno.io - resources: - - clusterpolicies - verbs: - - list - - watch -- apiGroups: - - kyverno.io - resources: - - policies - verbs: - - list - - watch -- apiGroups: - - security.nirmata.io - resources: - - imagescanadapterconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - security.nirmata.io - resources: - - imagescanadapterconfigs/finalizers - verbs: - - update -- apiGroups: - - security.nirmata.io - resources: - - imagescanadapterconfigs/status - verbs: - - get - - patch - - update -- apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - list - - create - - get - - update - - watch ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "image-scan-adapter.serviceAccountName" . }} - namespace: {{ include "image-scan-adapter.namespace" . }} - labels: - {{- include "image-scan-adapter.labels" . | nindent 4 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "image-scan-adapter.fullname" . }} - labels: - {{- include "image-scan-adapter.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "image-scan-adapter.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ include "image-scan-adapter.serviceAccountName" . }} - namespace: {{ include "image-scan-adapter.namespace" . }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_helpers.tpl deleted file mode 100644 index 08ec2da4..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_helpers.tpl +++ /dev/null @@ -1,97 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.chartVersion" -}} -{{- if .Values.kyverno.templating.enabled -}} - {{- required "templating.version is required when templating.enabled is true" .Values.kyverno.templating.version | replace "+" "_" -}} -{{- else -}} - {{- .Chart.Version | replace "+" "_" -}} -{{- end -}} -{{- end -}} - -{{- define "kyverno.features.flags" -}} -{{- $flags := list -}} -{{- with .admissionReports -}} - {{- $flags = append $flags (print "--admissionReports=" .enabled) -}} -{{- end -}} -{{- with .aggregateReports -}} - {{- $flags = append $flags (print "--aggregateReports=" .enabled) -}} -{{- end -}} -{{- with .policyReports -}} - {{- $flags = append $flags (print "--policyReports=" .enabled) -}} -{{- end -}} -{{- with .validatingAdmissionPolicyReports -}} - {{- $flags = append $flags (print "--validatingAdmissionPolicyReports=" .enabled) -}} -{{- end -}} -{{- with .autoUpdateWebhooks -}} - {{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}} -{{- end -}} -{{- with .disableAutoWebhookGeneration -}} - {{- $flags = append $flags (print "--disableAutoWebhookGeneration=" .enabled) -}} -{{- end -}} -{{- with .backgroundScan -}} - {{- $flags = append $flags (print "--backgroundScan=" .enabled) -}} - {{- $flags = append $flags (print "--backgroundScanWorkers=" .backgroundScanWorkers) -}} - {{- $flags = append $flags (print "--backgroundScanInterval=" .backgroundScanInterval) -}} - {{- $flags = append $flags (print "--skipResourceFilters=" .skipResourceFilters) -}} -{{- end -}} -{{- with .configMapCaching -}} - {{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}} -{{- end -}} -{{- with .deferredLoading -}} - {{- $flags = append $flags (print "--enableDeferredLoading=" .enabled) -}} -{{- end -}} -{{- with .dumpPayload -}} - {{- $flags = append $flags (print "--dumpPayload=" .enabled) -}} -{{- end -}} -{{- with .forceFailurePolicyIgnore -}} - {{- $flags = append $flags (print "--forceFailurePolicyIgnore=" .enabled) -}} -{{- end -}} -{{- with .generateValidatingAdmissionPolicy -}} - {{- $flags = append $flags (print "--generateValidatingAdmissionPolicy=" .enabled) -}} -{{- end -}} -{{- with .globalContext -}} - {{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}} -{{- end -}} -{{- with .logging -}} - {{- $flags = append $flags (print "--loggingFormat=" .format) -}} - {{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}} -{{- end -}} -{{- with .omitEvents -}} - {{- with .eventTypes -}} - {{- $flags = append $flags (print "--omitEvents=" (join "," .)) -}} - {{- end -}} -{{- end -}} -{{- with .policyExceptions -}} - {{- $flags = append $flags (print "--enablePolicyException=" .enabled) -}} - {{- with .namespace -}} - {{- $flags = append $flags (print "--exceptionNamespace=" .) -}} - {{- end -}} -{{- end -}} -{{- with .protectManagedResources -}} - {{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}} -{{- end -}} -{{- with .reports -}} - {{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}} -{{- end -}} -{{- with .registryClient -}} - {{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}} - {{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}} -{{- end -}} -{{- with .ttlController -}} - {{- $flags = append $flags (print "--ttlReconciliationInterval=" .reconciliationInterval) -}} -{{- end -}} -{{- with .tuf -}} - {{- with .enabled -}} - {{- $flags = append $flags (print "--enableTuf=" .) -}} - {{- end -}} - {{- with .mirror -}} - {{- $flags = append $flags (print "--tufMirror=" .) -}} - {{- end -}} - {{- with .root -}} - {{- $flags = append $flags (print "--tufRoot=" .) -}} - {{- end -}} -{{- end -}} -{{- with $flags -}} - {{- toYaml . -}} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/_helpers.tpl deleted file mode 100644 index 16186b54..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/_helpers.tpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.templating.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.matchLabels.common" .) -) -}} -{{- end -}} - -{{- define "kyverno.annotations.common" -}} -{{- if .Values.customAnnotations }} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - ) -}} - {{- end }} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/namespace.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/namespace.yaml deleted file mode 100644 index 87f78eb3..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/_templating/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if .Values.kyverno.templating.enabled -}} -apiVersion: v1 -kind: Namespace -metadata: - name: {{ include "kyverno.namespace" . }} - labels: - {{- include "kyverno.templating.labels" . | nindent 4 }} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/_helpers.tpl deleted file mode 100644 index 43598de3..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/_helpers.tpl +++ /dev/null @@ -1,53 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.admission-controller.name" -}} -{{ template "kyverno.name" . }}-admission-controller -{{- end -}} - -{{- define "kyverno.admission-controller.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.admission-controller.matchLabels" .) -) -}} -{{- end -}} - -{{- define "kyverno.admission-controller.matchLabels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "admission-controller") -) -}} -{{- end -}} - -{{- define "kyverno.admission-controller.roleName" -}} -{{ include "kyverno.fullname" . }}:admission-controller -{{- end -}} - -{{- define "kyverno.admission-controller.serviceAccountName" -}} -{{- if .Values.kyverno.admissionController.rbac.create -}} - {{ default (include "kyverno.admission-controller.name" .) .Values.kyverno.admissionController.rbac.serviceAccount.name }} -{{- else -}} - {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.admissionController.rbac.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.admission-controller.serviceName" -}} -{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "kyverno.admission-controller.caCertificatesConfigMapName" -}} -{{ printf "%s-ca-certificates" (include "kyverno.admission-controller.name" .) }} -{{- end -}} - -{{- define "kyverno.admission-controller.serviceAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.admissionController.service.annotations) - ) -}} -{{- end -}} - -{{- define "kyverno.background-controller.serviceAccountAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.backgroundController.rbac.serviceAccount.annotations) - ) -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrole.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrole.yaml deleted file mode 100644 index 6637b316..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrole.yaml +++ /dev/null @@ -1,163 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.admission-controller.roleName" . }} - labels: - {{- include "kyverno.admission-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.admission-controller.roleName" . }}:core - labels: - {{- include "kyverno.admission-controller.labels" . | nindent 4 }} -rules: - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - {{- if .Values.kyverno.helm.features.generateValidatingAdmissionPolicy.enabled }} - - validatingadmissionpolicies - - validatingadmissionpolicybindings - {{- end }} - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - clusterroles - - rolebindings - - clusterrolebindings - verbs: - - list - - watch - - apiGroups: - - kyverno.io - resources: - - policies - - policies/status - - clusterpolicies - - clusterpolicies/status - - updaterequests - - updaterequests/status - - globalcontextentries - - globalcontextentries/status - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - - policyexceptions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - policyreports/status - - clusterpolicyreports - - clusterpolicyreports/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - update - - patch - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - '' - resources: - - configmaps - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - update - - patch - - get - - list - - watch -{{- with .Values.kyverno.admissionController.rbac.coreClusterRole.extraResources }} - {{- toYaml . | nindent 2 }} -{{- end }} -{{- with .Values.kyverno.admissionController.rbac.clusterRole.extraResources }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.admission-controller.roleName" $ }}:additional - labels: - {{- include "kyverno.admission-controller.labels" $ | nindent 4 }} -rules: - {{- toYaml . | nindent 2 }} -{{- end }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrolebinding.yaml deleted file mode 100644 index f00fbecf..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create }} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.admission-controller.roleName" . }} - labels: - {{- include "kyverno.admission-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.admission-controller.roleName" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.admission-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/role.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/role.yaml deleted file mode 100644 index 03895e4b..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/role.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "kyverno.admission-controller.roleName" . }} - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.admission-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - delete - - update - resourceNames: - - {{ include "kyverno.config.configMapName" . }} - - {{ include "kyverno.config.metricsConfigMapName" . }} - - license-check-success - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - patch - - update - # Allow update of Kyverno deployment annotations - - apiGroups: - - apps - resources: - - deployments - {{- if .Values.kyverno.webhooksCleanup.enabled }} - {{- if not .Values.kyverno.templating.enabled }} - - deployments/scale - {{- end }} - {{- end }} - verbs: - - get - - list - - watch - {{- if .Values.kyverno.webhooksCleanup.enabled }} - {{- if not .Values.kyverno.templating.enabled }} - - patch - - update - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/rolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/rolebinding.yaml deleted file mode 100644 index 02025847..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/rolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create }} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.admission-controller.roleName" . }} - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.admission-controller.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kyverno.admission-controller.roleName" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.admission-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/serviceaccount.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/serviceaccount.yaml deleted file mode 100644 index 4d9e7e22..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.admission-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.admission-controller.labels" . | nindent 4 }} - {{- with .Values.kyverno.admissionController.rbac.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/_helpers.tpl deleted file mode 100644 index 0c70d662..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/_helpers.tpl +++ /dev/null @@ -1,58 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.background-controller.name" -}} -{{ template "kyverno.name" . }}-background-controller -{{- end -}} - -{{- define "kyverno.background-controller.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.background-controller.matchLabels" .) -) -}} -{{- end -}} - -{{- define "kyverno.background-controller.matchLabels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "background-controller") -) -}} -{{- end -}} - -{{- define "kyverno.background-controller.image" -}} -{{- $imageRegistry := default .image.registry .globalRegistry -}} -{{- if $imageRegistry -}} - {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} -{{- else -}} - {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.background-controller.roleName" -}} -{{ include "kyverno.fullname" . }}:background-controller -{{- end -}} - -{{- define "kyverno.background-controller.serviceAccountName" -}} -{{- if .Values.kyverno.backgroundController.rbac.create -}} - {{ default (include "kyverno.background-controller.name" .) .Values.kyverno.backgroundController.rbac.serviceAccount.name }} -{{- else -}} - {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.kyverno.backgroundController.rbac.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.background-controller.serviceAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.admissionController.service.annotations) - ) -}} -{{- end -}} - -{{- define "kyverno.background-controller.caCertificatesConfigMapName" -}} -{{ printf "%s-ca-certificates" (include "kyverno.background-controller.name" .) }} -{{- end -}} - -{{- define "kyverno.background-controller.serviceAccountAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.backgroundController.rbac.serviceAccount.annotations) - ) -}} -{{- end -}} \ No newline at end of file diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrole.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrole.yaml deleted file mode 100644 index 66383527..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrole.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{- if .Values.kyverno.backgroundController.enabled -}} -{{- if .Values.kyverno.backgroundController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.background-controller.roleName" . }} - labels: - {{- include "kyverno.background-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.background-controller.roleName" . }}:core - labels: - {{- include "kyverno.background-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - kyverno.io - resources: - - policies - - clusterpolicies - - policyexceptions - - updaterequests - - updaterequests/status - - globalcontextentries - - globalcontextentries/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - '' - resources: - - namespaces - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - update - - patch - - get - - list - - apiGroups: - - networking.k8s.io - resources: - - ingresses - - ingressclasses - - networkpolicies - verbs: - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - configmaps - - secrets - - resourcequotas - - limitranges - verbs: - - create - - update - - patch - - delete - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - update - - patch - - delete - - watch -{{- with .Values.kyverno.backgroundController.rbac.coreClusterRole.extraResources }} - {{- toYaml . | nindent 2 }} -{{- end }} -{{- with .Values.kyverno.backgroundController.rbac.clusterRole.extraResources }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.background-controller.roleName" $ }}:additional - labels: - {{- include "kyverno.background-controller.labels" $ | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - {{- toYaml . | nindent 2 }} -{{- end }} -{{- end }} -{{- end }} - diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrolebinding.yaml deleted file mode 100644 index e7643a09..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.kyverno.backgroundController.enabled -}} -{{- if .Values.kyverno.backgroundController.rbac.create -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.background-controller.roleName" . }} - labels: - {{- include "kyverno.background-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.background-controller.roleName" . }} -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.background-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/role.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/role.yaml deleted file mode 100644 index d6d5c9c2..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/role.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if .Values.kyverno.backgroundController.enabled -}} -{{- if .Values.kyverno.backgroundController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "kyverno.background-controller.roleName" . }} - labels: - {{- include "kyverno.background-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} - namespace: {{ template "kyverno.namespace" . }} -rules: - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - resourceNames: - - {{ include "kyverno.config.configMapName" . }} - - {{ include "kyverno.config.metricsConfigMapName" . }} - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - delete - - get - - patch - - update - resourceNames: - - kyverno-background-controller - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/rolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/rolebinding.yaml deleted file mode 100644 index 897507be..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/rolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.kyverno.backgroundController.enabled -}} -{{- if .Values.kyverno.backgroundController.rbac.create -}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.background-controller.roleName" . }} - labels: - {{- include "kyverno.background-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} - namespace: {{ template "kyverno.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kyverno.background-controller.roleName" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.background-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/serviceaccount.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/serviceaccount.yaml deleted file mode 100644 index 455118c5..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.kyverno.backgroundController.enabled -}} -{{- if .Values.kyverno.backgroundController.rbac.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.background-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.background-controller.labels" . | nindent 4 }} - {{- with .Values.kyverno.backgroundController.rbac.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/_helpers.tpl deleted file mode 100644 index 435f8175..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/_helpers.tpl +++ /dev/null @@ -1,54 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.cleanup-controller.name" -}} -{{ template "kyverno.name" . }}-cleanup-controller -{{- end -}} - -{{- define "kyverno.cleanup-controller.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.cleanup-controller.matchLabels" .) -) -}} -{{- end -}} - -{{- define "kyverno.cleanup-controller.matchLabels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "cleanup-controller") -) -}} -{{- end -}} - -{{- define "kyverno.cleanup-controller.image" -}} -{{- $imageRegistry := default .image.registry .globalRegistry -}} -{{- if $imageRegistry -}} - {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} -{{- else -}} - {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.cleanup-controller.roleName" -}} -{{ include "kyverno.fullname" . }}:cleanup-controller -{{- end -}} - -{{- define "kyverno.cleanup-controller.serviceAccountName" -}} -{{- if .Values.kyverno.cleanupController.rbac.create -}} - {{ default (include "kyverno.cleanup-controller.name" .) .Values.kyverno.cleanupController.rbac.serviceAccount.name }} -{{- else -}} - {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.kyverno.cleanupController.rbac.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.cleanup-controller.serviceAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.kyverno.cleanupController.service.annotations) - ) -}} -{{- end -}} - -{{- define "kyverno.cleanup-controller.serviceAccountAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.kyverno.cleanupController.rbac.serviceAccount.annotations) - ) -}} -{{- end -}} \ No newline at end of file diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrole.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrole.yaml deleted file mode 100644 index a79d6396..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrole.yaml +++ /dev/null @@ -1,138 +0,0 @@ -{{- if .Values.kyverno.cleanupController.enabled -}} -{{- if .Values.kyverno.cleanupController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.cleanup-controller.roleName" . }} - labels: - {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 8 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.cleanup-controller.roleName" . }}:core - labels: - {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - kyverno.io - resources: - - clustercleanuppolicies - - cleanuppolicies - verbs: - - list - - watch - - apiGroups: - - kyverno.io - resources: - - globalcontextentries - - globalcontextentries/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - kyverno.io - resources: - - clustercleanuppolicies/status - - cleanuppolicies/status - verbs: - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -{{- with .Values.kyverno.cleanupController.rbac.clusterRole.extraResources }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.cleanup-controller.roleName" $ }}:additional - labels: - {{- include "kyverno.cleanup-controller.labels" $ | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - {{- toYaml . | nindent 2 }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrolebinding.yaml deleted file mode 100644 index 892e05dd..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.kyverno.cleanupController.enabled -}} -{{- if .Values.kyverno.cleanupController.rbac.create -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.cleanup-controller.roleName" . }} - labels: - {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.cleanup-controller.roleName" . }} -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/role.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/role.yaml deleted file mode 100644 index 6f655639..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/role.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if .Values.kyverno.cleanupController.enabled -}} -{{- if .Values.kyverno.cleanupController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "kyverno.cleanup-controller.roleName" . }} - labels: - {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} - namespace: {{ template "kyverno.namespace" . }} -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - create - - apiGroups: - - '' - resources: - - secrets - verbs: - - delete - - get - - list - - update - - watch - resourceNames: - - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca - - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - resourceNames: - - {{ include "kyverno.config.configMapName" . }} - - {{ include "kyverno.config.metricsConfigMapName" . }} - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - delete - - get - - patch - - update - resourceNames: - - kyverno-cleanup-controller -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/rolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/rolebinding.yaml deleted file mode 100644 index fb061d19..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/rolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.kyverno.cleanupController.enabled -}} -{{- if .Values.kyverno.cleanupController.rbac.create -}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.cleanup-controller.roleName" . }} - labels: - {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} - namespace: {{ template "kyverno.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kyverno.cleanup-controller.roleName" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/serviceaccount.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/serviceaccount.yaml deleted file mode 100644 index 69b6af5d..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.kyverno.cleanupController.enabled -}} -{{- if .Values.kyverno.cleanupController.rbac.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} - {{- with .Values.kyverno.cleanupController.rbac.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/_helpers.tpl deleted file mode 100644 index a1b70cb3..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.cleanup.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "cleanup") -) -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrole.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrole.yaml deleted file mode 100644 index 6cf2c59e..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrole.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.name" . }}:cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - verbs: - - list - - deletecollection - - delete diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrolebinding.yaml deleted file mode 100644 index d9670545..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/clusterrolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.name" . }}:cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.name" . }}:cleanup-jobs -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/serviceaccount.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/serviceaccount.yaml deleted file mode 100644 index c39b979b..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/config/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/config/_helpers.tpl deleted file mode 100644 index b2a5895a..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/config/_helpers.tpl +++ /dev/null @@ -1,82 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.config.configMapName" -}} -{{- if .Values.kyverno.config.create -}} - {{ default (include "kyverno.fullname" .) .Values.kyverno.config.name }} -{{- else -}} - {{ required "A configmap name is required when `config.create` is set to `false`" .Values.kyverno.config.name }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.config.metricsConfigMapName" -}} -{{- if .Values.kyverno.metricsConfig.create -}} - {{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.kyverno.metricsConfig.name }} -{{- else -}} - {{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.kyverno.metricsConfig.name }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.config.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.config.matchLabels" .) -) -}} -{{- end -}} - -{{- define "kyverno.config.matchLabels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "config") -) -}} -{{- end -}} - -{{- define "kyverno.config.resourceFilters" -}} -{{- $resourceFilters := .Values.kyverno.config.resourceFilters -}} -{{- if .Values.kyverno.config.excludeKyvernoNamespace -}} - {{- $resourceFilters = prepend .Values.kyverno.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}} -{{- end -}} -{{- range $exclude := .Values.kyverno.config.resourceFiltersExcludeNamespaces -}} - {{- range $filter := $resourceFilters -}} - {{- if (contains (printf ",%s," $exclude) $filter) -}} - {{- $resourceFilters = without $resourceFilters $filter -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- $resourceFilters = concat $resourceFilters .Values.config.resourceFiltersInclude -}} -{{- range $include := .Values.config.resourceFiltersIncludeNamespaces -}} - {{- $resourceFilters = append $resourceFilters (printf "[*/*,%s,*]" $include) -}} -{{- end -}} -{{- range $resourceFilter := $resourceFilters }} -{{ tpl $resourceFilter $ }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.config.webhooks" -}} -{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }} -{{- $newWebhook := list }} -{{- range $webhook := .Values.kyverno.config.webhooks }} - {{- $namespaceSelector := default dict $webhook.namespaceSelector }} - {{- $matchExpressions := default list $namespaceSelector.matchExpressions }} - {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} - {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }} -{{- end }} -{{- $newWebhook | toJson }} -{{- end -}} - -{{- define "kyverno.config.imagePullSecret" -}} -{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }} -{{- end -}} - -{{- define "kyverno.config.metricsConfigMapAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.metricsConfig.annotations) - ) -}} -{{- end -}} - -{{- define "kyverno.config.configMapAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.config.annotations) - ) -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/namespace.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/namespace.yaml deleted file mode 100644 index 8de0253d..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if not .Values.kyverno.customNamespaces -}} -apiVersion: v1 -kind: Namespace -metadata: - labels: - {{- include "kyverno.labels.common" . | nindent 4 }} - name: {{ include "kyverno.namespace" . }} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/rolebindings.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/rolebindings.yaml deleted file mode 100644 index 04ac9016..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/rolebindings.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.name" . }}-installer - namespace: {{ include "kyverno.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "kyverno.name" . }}-installer -subjects: -- kind: ServiceAccount - name: {{ template "enterprise-kyverno.rbac.serviceAccountName" . }} - namespace: {{ template "enterprise-kyverno.namespace" . }} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/roles.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/roles.yaml deleted file mode 100644 index 226b4f07..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/namespace/roles.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ include "kyverno.namespace" . }} - name: {{ include "kyverno.name" . }}-installer -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/_helpers.tpl deleted file mode 100644 index e1cc0b11..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/_helpers.tpl +++ /dev/null @@ -1,28 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.rbac.labels.admin" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.rbac.matchLabels" .) - "rbac.authorization.k8s.io/aggregate-to-admin: 'true'" -) -}} -{{- end -}} - -{{- define "kyverno.rbac.labels.view" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.rbac.matchLabels" .) - "rbac.authorization.k8s.io/aggregate-to-view: 'true'" -) -}} -{{- end -}} - -{{- define "kyverno.rbac.matchLabels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "rbac") -) -}} -{{- end -}} - -{{- define "kyverno.rbac.roleName" -}} -{{ include "kyverno.fullname" . }}:rbac -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policies.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policies.yaml deleted file mode 100644 index aab002dd..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policies.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:admin:policies - labels: - {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - kyverno.io - resources: - - cleanuppolicies - - clustercleanuppolicies - - policies - - clusterpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:view:policies - labels: - {{- include "kyverno.rbac.labels.view" . | nindent 4 }} -rules: - - apiGroups: - - kyverno.io - resources: - - cleanuppolicies - - clustercleanuppolicies - - policies - - clusterpolicies - verbs: - - get - - list - - watch -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policyreports.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policyreports.yaml deleted file mode 100644 index edbbe3e3..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/policyreports.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports - labels: - {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - clusterpolicyreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports - labels: - {{- include "kyverno.rbac.labels.view" . | nindent 4 }} -rules: - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - clusterpolicyreports - verbs: - - get - - list - - watch -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/reports.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/reports.yaml deleted file mode 100644 index e78f2c63..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/reports.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:admin:reports - labels: - {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:view:reports - labels: - {{- include "kyverno.rbac.labels.view" . | nindent 4 }} -rules: - - apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - get - - list - - watch - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - get - - list - - watch -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/updaterequests.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/updaterequests.yaml deleted file mode 100644 index ed7dc839..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/rbac/updaterequests.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.kyverno.admissionController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests - labels: - {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests - labels: - {{- include "kyverno.rbac.labels.view" . | nindent 4 }} -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - get - - list - - watch -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/_helpers.tpl deleted file mode 100644 index 5c53fdec..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/_helpers.tpl +++ /dev/null @@ -1,58 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.reports-controller.name" -}} -{{ template "kyverno.name" . }}-reports-controller -{{- end -}} - -{{- define "kyverno.reports-controller.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.reports-controller.matchLabels" .) -) -}} -{{- end -}} - -{{- define "kyverno.reports-controller.matchLabels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "reports-controller") -) -}} -{{- end -}} - -{{- define "kyverno.reports-controller.image" -}} -{{- $imageRegistry := default .image.registry .globalRegistry -}} -{{- if $imageRegistry -}} - {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} -{{- else -}} - {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.reports-controller.roleName" -}} -{{ include "kyverno.fullname" . }}:reports-controller -{{- end -}} - -{{- define "kyverno.reports-controller.serviceAccountName" -}} -{{- if .Values.kyverno.reportsController.rbac.create -}} - {{ default (include "kyverno.reports-controller.name" .) .Values.kyverno.reportsController.rbac.serviceAccount.name }} -{{- else -}} - {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.kyverno.reportsController.rbac.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{- define "kyverno.reports-controller.serviceAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.kyverno.reportsController.metricsService.annotations) - ) -}} -{{- end -}} - -{{- define "kyverno.reports-controller.serviceAccountAnnotations" -}} - {{- template "kyverno.annotations.merge" (list - (toYaml .Values.customAnnotations) - (toYaml .Values.kyverno.reportsController.rbac.serviceAccount.annotations) - ) -}} -{{- end -}} - -{{- define "kyverno.reports-controller.caCertificatesConfigMapName" -}} -{{ printf "%s-ca-certificates" (include "kyverno.reports-controller.name" .) }} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrole.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrole.yaml deleted file mode 100644 index 9cc89322..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrole.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{- if .Values.kyverno.reportsController.enabled -}} -{{- if .Values.kyverno.reportsController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.reports-controller.roleName" . }} - labels: - {{- include "kyverno.reports-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -aggregationRule: - clusterRoleSelectors: - - matchLabels: - {{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.reports-controller.roleName" . }}:core - labels: - {{- include "kyverno.reports-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - '' - resources: - - secrets - - configmaps - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - kyverno.io - resources: - - globalcontextentries - - globalcontextentries/status - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - - policyexceptions - - policies - - clusterpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - policyreports/status - - clusterpolicyreports - - clusterpolicyreports/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection - - apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - patch -{{- with .Values.kyverno.reportsController.rbac.coreClusterRole.extraResources }} - {{- toYaml . | nindent 2 }} -{{- end }} -{{- with .Values.kyverno.reportsController.rbac.clusterRole.extraResources }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.reports-controller.roleName" $ }}:additional - labels: - {{- include "kyverno.reports-controller.labels" $ | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -rules: - {{- range . }} - - apiGroups: - {{- toYaml .apiGroups | nindent 6 }} - resources: - {{- toYaml .resources | nindent 6 }} - verbs: - - get - - list - - watch - {{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrolebinding.yaml deleted file mode 100644 index 30557042..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.kyverno.reportsController.enabled -}} -{{- if .Values.kyverno.reportsController.rbac.create -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.reports-controller.roleName" . }} - labels: - {{- include "kyverno.reports-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.reports-controller.roleName" . }} -subjects: -- kind: ServiceAccount - name: {{ template "kyverno.reports-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/role.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/role.yaml deleted file mode 100644 index a9596dc0..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/role.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.kyverno.reportsController.enabled -}} -{{- if .Values.kyverno.reportsController.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "kyverno.reports-controller.roleName" . }} - labels: - {{- include "kyverno.reports-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} - namespace: {{ template "kyverno.namespace" . }} -rules: - - apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch - resourceNames: - - {{ include "kyverno.config.configMapName" . }} - - {{ include "kyverno.config.metricsConfigMapName" . }} - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - delete - - get - - patch - - update - resourceNames: - - kyverno-reports-controller -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/rolebinding.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/rolebinding.yaml deleted file mode 100644 index f141c461..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/rolebinding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.kyverno.reportsController.enabled -}} -{{- if .Values.kyverno.reportsController.rbac.create -}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.reports-controller.roleName" . }} - labels: - {{- include "kyverno.reports-controller.labels" . | nindent 4 }} -{{- $commonAnnotations := include "kyverno.annotations.common" . | nindent 4 }} -{{- if $commonAnnotations }} - annotations: -{{ $commonAnnotations }} -{{- end }} - namespace: {{ template "kyverno.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kyverno.reports-controller.roleName" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.reports-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/serviceaccount.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/serviceaccount.yaml deleted file mode 100644 index 615a590b..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.kyverno.reportsController.enabled -}} -{{- if .Values.kyverno.reportsController.rbac.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.reports-controller.serviceAccountName" . }} - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.reports-controller.labels" . | nindent 4 }} - {{- with .Values.kyverno.reportsController.rbac.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/validate.yaml b/charts/enterprise-kyverno-operator/templates/kyverno-1.12/validate.yaml deleted file mode 100644 index 2ac19995..00000000 --- a/charts/enterprise-kyverno-operator/templates/kyverno-1.12/validate.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if and (eq .Values.kyverno.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.cleanuppolicies false) }} -{{- fail "CRD cleanuppolicies disabled while cleanupController enabled" }} -{{- end }} -{{- if and (eq .Values.kyverno.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.clustercleanuppolicies false) }} -{{- fail "CRD clustercleanuppolicies disabled while cleanupController enabled" }} -{{- end }} -{{- if and (eq .Values.kyverno.reportsController.enabled true) (eq .Values.crds.groups.wgpolicyk8s.clusterpolicyreports false) }} -{{- fail "CRD clusterpolicyreports disabled while reportsController enabled" }} -{{- end }} -{{- if and (eq .Values.kyverno.reportsController.enabled true) (eq .Values.crds.groups.wgpolicyk8s.clusterpolicyreports false) }} -{{- fail "CRD clusterpolicyreports disabled while reportsController enabled" }} -{{- end }} -{{- if and (eq .Values.kyverno.reportsController.enabled true) (eq .Values.crds.groups.kyverno.backgroundscanreports false) }} -{{- fail "CRD backgroundscanreports disabled while reportsController enabled" }} -{{- end }} -{{- if and (eq .Values.kyverno.reportsController.enabled true) (eq .Values.crds.groups.kyverno.clusterbackgroundscanreports false) }} -{{- fail "CRD backgroundscanreports disabled while reportsController enabled" }} -{{- end }} - -{{- if hasKey .Values "mode" -}} - {{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}} -{{- end -}} - -{{- if eq (include "kyverno.namespace" .) "kube-system" -}} - {{- fail "Kyverno cannot be installed in namespace kube-system." -}} -{{- end -}} - -{{- if not .Values.kyverno.upgrade.fromV2 -}} - {{- $v2 := lookup "apps/v1" "Deployment" (include "kyverno.namespace" .) (include "kyverno.fullname" .) -}} - {{- if $v2 -}} - {{- fail (join "\n" (list - "" - "" - " +--------------------------------------------------------------------------------------------------------------------------------------+" - " | An earlier Helm installation of Kyverno was detected. |" - " | Given this chart version has significant breaking changes, the upgrade has been blocked. |" - " | Please review the release notes and chart README section and then, once prepared, set `upgrade.fromV2: true` once ready to proceed. |" - " +--------------------------------------------------------------------------------------------------------------------------------------+" - "" - )) - -}} - {{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/kyverno-webhook/_helpers.tpl b/charts/enterprise-kyverno-operator/templates/kyverno-webhook/_helpers.tpl new file mode 100644 index 00000000..97a34c02 --- /dev/null +++ b/charts/enterprise-kyverno-operator/templates/kyverno-webhook/_helpers.tpl @@ -0,0 +1,26 @@ +{{/* vim: set filetype=mustache: */}} +{{- define "kyverno.config.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.config.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.config.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "config") +) -}} +{{- end -}} + +{{- define "kyverno.config.webhooks" -}} +{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }} +{{- $newWebhook := list }} +{{- range $webhook := .Values.kyverno.config.webhooks }} + {{- $namespaceSelector := default dict $webhook.namespaceSelector }} + {{- $matchExpressions := default list $namespaceSelector.matchExpressions }} + {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} + {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }} +{{- end }} +{{- $newWebhook | toJson }} +{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade-migrate-resources.yaml b/charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade-migrate-resources.yaml deleted file mode 100644 index 1d591fbd..00000000 --- a/charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade-migrate-resources.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{- if .Release.IsUpgrade }} -{{- if .Values.kyverno.crds.migration.enabled -}} -{{- if not .Values.kyverno.templating.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.fullname" . }}:migrate-resources - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "100" -rules: - - apiGroups: - - kyverno.io - resources: - - '*' - verbs: - - get - - list - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions/status - verbs: - - update ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.fullname" . }}:migrate-resources - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "100" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.fullname" . }}:migrate-resources -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.fullname" . }}-migrate-resources - namespace: {{ template "kyverno.namespace" . }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.fullname" . }}-migrate-resources - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "100" ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "kyverno.fullname" . }}-migrate-resources - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "200" -spec: - backoffLimit: 2 - template: - metadata: - {{- with .Values.kyverno.crds.migration.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.kyverno.crds.migration.podLabels }} - labels: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - serviceAccount: {{ template "kyverno.fullname" . }}-migrate-resources - {{- with .Values.kyverno.crds.migration.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - restartPolicy: Never - containers: - - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.kyverno.global).image).registry "image" .Values.kyverno.crds.migration.image "defaultTag" (default .Values.kyverno.image.tag .Values.kyverno.crds.migration.image.tag))) | quote }} - imagePullPolicy: {{ .Values.kyverno.crds.migration.image.pullPolicy }} - args: - - migrate - {{- range .Values.kyverno.crds.migration.resources }} - - --resource - - {{ . }} - {{- end }} - {{- with .Values.kyverno.crds.migration.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.kyverno.crds.migration.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade.yaml b/charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade.yaml deleted file mode 100644 index 1f8d3996..00000000 --- a/charts/enterprise-kyverno-operator/templates/post-kyverno-upgrade.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if not .Values.kyverno.templating.enabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "kyverno.fullname" . }}-hook-post-upgrade - namespace: {{ template "kyverno.namespace" . }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed -spec: - backoffLimit: 2 - template: - spec: - serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }} - {{- with .Values.kyverno.helm.policyReportsCleanup.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - restartPolicy: Never - containers: - - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.kyverno.global).image).registry "image" .Values.kyverno.helm.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.kyverno.helm.policyReportsCleanup.image.tag))) | quote }} - imagePullPolicy: {{ .Values.kyverno.helm.policyReportsCleanup.image.pullPolicy }} - command: - - sh - - -c - - | - echo "waiting" - sleep 60 - kubectl wait --for=condition=available deployment/kyverno-admission-controller --timeout=60s --namespace=kyverno - kubectl wait --for=condition=available deployment/kyverno-background-controller --timeout=60s --namespace=kyverno - kubectl wait --for=condition=available deployment/kyverno-reports-controller --timeout=60s --namespace=kyverno - kubectl wait --for=condition=available deployment/kyverno-cleanup-controller --timeout=60s --namespace=kyverno - - NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}') - - for ns in $NAMESPACES; do - COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n "$ns" --no-headers=true | awk '/pol/{print $1}' | wc -l) - - if [ "$COUNT" -gt 0 ]; then - echo "deleting $COUNT policyreports in namespace $ns" - kubectl get policyreports.wgpolicyk8s.io -n "$ns" --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n "$ns" policyreports.wgpolicyk8s.io - else - echo "no policyreports in namespace $ns" - fi - done - - COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l) - - if [ "$COUNT" -gt 0 ]; then - echo "deleting $COUNT clusterpolicyreports" - kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io - else - echo "no clusterpolicyreports" - fi - {{- with .Values.kyverno.helm.policyReportsCleanup.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} -{{- end -}} - diff --git a/charts/enterprise-kyverno-operator/templates/pre-delete-hook.yaml b/charts/enterprise-kyverno-operator/templates/pre-delete-hook.yaml index 13060a83..4203c48f 100644 --- a/charts/enterprise-kyverno-operator/templates/pre-delete-hook.yaml +++ b/charts/enterprise-kyverno-operator/templates/pre-delete-hook.yaml @@ -40,15 +40,6 @@ spec: - -c - > kubectl -n {{ include "enterprise-kyverno.namespace" . }} delete policyset --all; - {{- if .Values.awsAdapter.createCR }} - kubectl -n {{ include "enterprise-kyverno.namespace" . }} delete kyvernoadapters aws-adapter-config; - {{- end }} - {{- if .Values.imageScanAdapter.createCR }} - kubectl -n {{ include "enterprise-kyverno.namespace" . }} delete kyvernoadapters image-scan-adapter-config; - {{- end }} - {{- if .Values.cisAdapter.createCR }} - kubectl -n {{ include "enterprise-kyverno.namespace" . }} delete kyvernoadapters cis-adapter-config; - {{- end }} {{- if .Values.kyverno.createCR }} kubectl -n {{ include "enterprise-kyverno.namespace" . }} patch kyvernoconfigs kyverno -p '{"metadata":{"finalizers":[]}}' --type=merge; diff --git a/charts/enterprise-kyverno-operator/values.yaml b/charts/enterprise-kyverno-operator/values.yaml index 2447b05f..23872d9c 100644 --- a/charts/enterprise-kyverno-operator/values.yaml +++ b/charts/enterprise-kyverno-operator/values.yaml @@ -42,6 +42,9 @@ rbac: name: "" enableWebhook: true +kyvernoDeployment: kyverno-admission-controller +kyvernoNamespace: kyverno +enablePolicyset: false # Whether certificate management is done by "cert-manager", "operator", "other" certManager: operator